Apple seems poised to make it harder to use cheap USB-C cables with its devices, and while it might make a few dollars more from the purported scheme, there are also good reasons to enter the system.
Apple needs to make a dollar or two
The claim is that Apple intends to replace Lightning ports and cables with USB-C in the iPhone 15, and when it does, it will introduce a Made For iPhone (MFi) scheme for such products. The idea is that consumers can buy cables and other devices with complete confidence that they are compatible with their iPhone.
According to some reports, the downside is that USB-C devices that are not licensed under the MFi scheme could end up being penalized – they may not work at all, may only support a limited charging speed, and may not be able to share data.
Apple critics will attack the company out of greed as members of the MFi scheme must pay for the privilege of licensed status. That means iPhone users can’t just use any USB-C cable, and the ones they do use may cost more.
How valuable is your data?
But I don’t think it’s just greed that drives this decision. It is the necessity of securing your iPhone and everything on it. It also tracks several attacks that have targeted key industries and infected systems using USB-C. Given Apple’s commitment to securing its supply chain, this is a problem that needs to be solved, especially as the company co-chairs the Cyber Readiness Institute.
The move may also reflect cross-sector preparations to bring the company into line with the EU law on cyber resiliencewhich requires manufacturers to take steps to secure electronic products of all kinds before they are sold.
A major limitation of USB-C is that the cables themselves can be compromised and used to steal data from devices, and such attacks can be carried out by anyone who has physical possession of your device.
Malicious cables can hold GPS trackers, make calls, or steal usernames, passwords, and data from connected devices while turning the device into a gateway to the wider corporate network.
There are literally dozens of ways USB can be used to compromise devices.
When security becomes a weakness
It’s funny to think to what extent these kinds of attacks have evolved from the work of national security agencies.
In the US, the National Security Agency (NSA) created its first malicious USB cable in 2008. Codename cotton mouth the cables sold for over $1,000 each in batches of 50. Today, you can pick them up online for a fraction of that cost.
Of course, while the standard itself has evolved, the moral of that part of today’s story is that nasty security threats tend to proliferate. The history of digital technology is littered with illustrations that show today’s government backdoor becoming tomorrow’s attack route of choice for every teenage hacker working from their bedroom.
More recently, the resurgence of BadUSB attacks against major infrastructure providers in early 2022 — targets tricked into plugging malware-laden USB drives into their machines — shows just how much effort it takes to penetrate enterprise endpoints.
Other attacks use public USB-C access points; think what could happen if hackers had control of the USB-C slot you connect your iPhone to during an airport layover — the damage could be done before you even land.
USB-C and authentication
One of the reasons computers are vulnerable to such attacks is that USB-C has no mandatory authentication system. The USB Implementer’s Forum (on which Apple sits) does offer a voluntary one authentication protocol for USB-C chargers, cables, devices and power sources that detect unknown cables and verify that the device is certified. But not everyone uses this.
We know that the increasingly security-oriented Apple is aware of the risks of USB-C. We also know that it is aware of the USB-C authentication standard. Still, it seems interesting that when that system was introduced, explained the press release:
“USB Type-C authentication allows host systems to protect against incompatible USB chargers and mitigate risks from malicious firmware/hardware in USB devices attempting to exploit a USB connection.”
At that time, some security researchers warned that this security technology could eventually be used by manufacturers to require customers to use only “approved” USB-C equipment.
That seems to be what Apple is planning.
However, in the interest of national security and given that USB cables are actively used to launch attacks against national infrastructure, it makes sense to ensure that the USB-C devices you or your employees have on your Plug in iPhones, don’t get damaged. steal your digital existence, even if they cost a few dollars more.
Please follow me on Mastodonor join the AppleHolic’s bar & grill And Apple Discussions groups on MeWe.
Copyright © 2023 IDG Communications, Inc.