X
Tech

The one serious MacBook Pro security flaw that nobody is talking about

Every MacBook since 2015 and every MacBook Pro since 2016 is at risk. Here's how you can keep your machines safe.
Written by David Gewirtz, Senior Contributing Editor

One of Han Solo's trademark lines was "I've got a bad feeling about this." Ever since I started thinking about getting the 2018 i9-based, 32GB MacBook Pro, I've been having a bad feeling, but I couldn't put my finger on what it was.

Yes, there have been discussions about performance throttling based on how hot the machine gets. And yes, there's always the discussion of the butterfly keyboard.

Plus there's the lack of ports. I make active use of the USB 3.0 and Thunderbolt ports, as well as the SD card slot on my 2015 i5-based MacBook Pro.

But it's not any of those concerns. I'm aware of them. It's been something else. Something serious. Something that can be trouble for any modern MacBook Pro user. But for weeks, I haven't been able to identify what was causing the tickle on the back of my neck.

Then, last night, as I plugged my current MacBook Pro into its snuggly MagSafe 2 power connector, I thought, "I'm going to miss the convenience of this." And then it came to me.

It's the USB-C ports. Because of the USB-C ports, all MacBook Pros introduced since late 2016 are inherently unsafe. Likewise, all of the 12-inch MacBooks introduced since 2015 are inherently unsafe.

It's all about the power

Okay, follow along with me. With my 2015 MacBook equipped with a MagSafe port, if I want to charge the machine, I just plug it in. There's no risk of a data connection. As long as I have networking off and nothing plugged into any of my ports, I'm safe. I'm air-gapped from the rest of the world.

MacBooks before 2015 and MacBook Pros before 2016 could charge without any risk, as long as everything else was off, empty, or disconnected.

Also: Air-gapping the planet: How to travel safely in digitally scary places

But with the MacBook from 2015 on, and for the MacBook Pros from 2016 on, the only way you can charge the notebook is by connecting to a USB-C port.

That's right. In order to charge the machine, you must connect to a port capable of transferring data. You have no choice.

For Apple, a company whose enhanced security has been one of its main selling points for years, this is a short-sighted, potentially brand-damaging, and dangerous decision.

In Europe, it could be worse

To be fair, this has long been a problem with iPhones (until the iPhone 8 and X who allow wireless charging). To charge any iPhone via cable, you've always had to plug in a data-capable connector, whether it was the old 30-pin dock connector or the Lightning connector.

For other smartphones, the problem is similar, although most phones used micro USB connectors, and now, most use USB-C connectors.

From a security point of view, wireless charging, like that on the newer iPhones and Galaxy S9, can be a substantially safer way to go, because you're able to charge the devices without ever plugging in a data-capable cable.

Of course, at least for Android devices, there are still serious malware threats that can enter the device via text, email, browsing, and p0wn3d apps, but at least one path of least resistance can be closed up.

In Europe, though, USB-C could be a real problem. The EU is considering mandating a switch to USB-C as the standard connector for all phones.

Read also: Why the EU might force Apple to swap its Lightning connecter for USB

While this type of standardization does have its benefits, if the EU extends its USB-C demands to notebook computers, those computers that still charge with external, dedicated charging connectors might be forced to use a data-capable connector for charging.

While Apple has moved all its notebooks to USB C-based charging, many Windows-based laptops can still be air-gapped while charging.

Why worry about this

I kind of like to use the adapters and dongles that come with the products I buy. Maybe you do, too. At this point, though, I'm willing to bet that most of us have a bin of dongles, adapters, and cables of uncertain origins. It's not unusual to borrow cables, dongles, and chargers when we're caught with our batteries down.

That was all well and good back when MacBooks required Apple-made chargers. Even then, there were aftermarket providers. But now, you're expected to plug your USB-C adapter into a MacBook Pro on one side, and into a possibly random USB charger on the other. That's where the trouble begins.

As far back as 2013, CBS News reported on fake Apple chargers (in this case, for iPhones). Last year, I wrote about how USB chargers are available that not only charge devices, but spy on you. Spying isn't the only problem. Many of the fake brand name or inexpensive aftermarket chargers are unsafe as well. Such chargers can cause shocks or even fires.

This is such an ongoing problem (even with Lightning cables) that Apple has a page dedicated to explaining how to identify counterfeit chargers.

Now, let's take the risk up a notch. Apple products are in active use in some very sensitive operations. Back in the day, President Obama was known to use both an iPad and a MacBook Pro.

In 2016, the US Department of Defense may (or may not) have dodged this bullet. In June of 2016, the DoD awarded an IT contractor $5,245,064 for the purchase of roughly 2,000 MacBook Pros.

Also: How I learned to stop worrying and love USB Type-C

The performance date of the contract shows that the award period was between June and September 2016. Since the first USB-C equipped MacBook Pros were announced in October of that year, and volume shipping took until December, the DoD may have been delivered pre-USB-C devices. On the other hand, since nothing in the government runs on time, it's entirely possible that thousands of those machines plug into the wall via a USB-C connection.

Of course, the government isn't alone. Some very large, recent Mac deployments include thousands of Macs sold to GE, IBM, SAP, and Capital One.

The scenario is troubling. All that has to happen to corrupt some of these massive deployments is the substitution of a USB charger. Even if every other precaution has been taken, the mere necessity of keeping the devices charged up puts machines at risk. Prior to the USB-C-only MacBook Pros, at least charging the device wasn't a possible hacking vector.

There's no doubt there are many different ways for malware to penetrate the enterprise. But there once was a time when the mere act of charging was safe. Now, with MacBooks and MacBook Pros, even that's a potentially serious security risk.

How to stay safe

Here's what I recommend. If you must buy mobile Macs, make sure you buy your spare or replacement power adapters directly from Apple. As long as the company is careful with its supply chain, you can be reasonably assured of staying safe. Even buying from Amazon might not be as secure.

As for your phones -- especially if you work in a high-securty environment -- you, too, would do well to buy your USB adapters directly from Apple. If you're in the DoD, the White House, or in an environment where a hack could be devastating, toss out those no-name imported adapters and buy your dongles from the vendor who makes your phones.

Beyond dongles and adapters, there's a wide range of best practices for keeping your devices safe. That's beyond the scope of this article, but read around on ZDNet, TechRepublic, and CNET for tons of great advice.

Here's a start:

My next Mac purchase

As for me, my once-powerful 2013 iMac definitely needs to be replaced. While the new i9 MacBook Pro could do the job, I don't really need another notebook. What I really want is an updated Mac mini with pro specs. Since we're expecting the next set of Mac announcements near the end of this month, I'll hold of buying at least until then.


You can follow my day-to-day project updates on social media. Be sure to follow me on Twitter at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, and on YouTube at YouTube.com/DavidGewirtzTV.

Apple's refreshed MacBook Pro 2018 models: Here's what's new, spec by spec

Previous and related coverage:

Apple vs Samsung phones: We compare the Galaxy S series and the iPhone XS

Should you buy the latest Apple or Samsung device? And which size? This guide breaks down the factors that matter most to business buyers and consumers alike.

Six months with Apple Watch 3: I'm sold

I hadn't worn a watch for 20 years when I bought an Apple Watch Series 3 six months ago. Now I wear it every day. Here's why -- and what I don't like.

Will there be an October Apple event? Signs point to yes

Once again, David Gewirtz puts on his mystical prognostication hat (okay, fine, he launches Excel) to delve into Apple announcement history. Will we see new Macs, iPads, and whatnot in October? There's a pretty good chance, and we'll even tell you what dates to write in your calendar.

Related stories:

Editorial standards