Why You Shouldn't Plug Unknown Devices Into Your Computer

In 2010, news emerged of a computer worm designed to hobble Iran's nuclear program, called Stuxnet, that was planted using USB thumb drives. If only they'd had macOS Ventura back then.

In macOS Ventura, Apple has closed one big security hole. The Mac will no longer allow any old USB device to connect when you plug it in. Instead, in a model much like that on the iPad and iPhone, plugging in a USB device will prompt the user for approval. 

"It is a terrible idea to connect unknown devices to your computer. Hackers consider USB devices to be an 'attack vector' or a weakness that might grant them access to a computer or network. Get someone to connect a drive infected with malware to a computer, and you're in," Travis Lindemoen, managing director of Nexus IT Group, told Lifewire via email. 

US B Careful

Most everyday attacks on computers come over the internet. This is why we are trained not to click on email links and to be vigilant about what we connect our computers to. But that's not the only way to attack a computer. 

Some of the worst exploits get dismissed as being a danger because they require physical access to your machine. It used to be that once an attacker had your computer in their hands, all bets were off. They only needed time, and they'd have access to everything. Then came the iPhone, which Apple has progressively hardened until today. It's not even worth stealing one because the thief cannot unlock it. 

Macs have gotten better at this too, and now that they run on the same basic chips as the iPhone and iPad, they benefit from this physical security. But even then, USB is a prime vector for delivering malware, partly because it can get past outward-looking defenses like firewalls, etc. 

Hackers? They’re Not Interested in Me

Stuxnet was a targeted attack, designed to monkey with the controllers from Siemens, which are used in many industrial processes. While it spread throughout computers worldwide, it had one target: the centrifuges used in Iran's uranium enrichment facility. The beauty of using USB as a vector is that it can infect computers that are forever kept offline for security purposes. 

Now, unless you are a prominent industry or government figure, it is unlikely that you will be a direct target like that. But that's not the only point of an attack. Good old-fashioned malware can be spread over USB, too. Or ransomware, which encrypts the data on your computer's hard drive and demands a payment to unlock it.

"I'm sure that you also rationalize these fears away by telling yourself that no one would get near your Mac armed with anything like those custom USB-C or Thunderbolt devices. But what if it's a notebook, and you fall asleep on the train while using it? Or it's misplaced or stolen?" says Mac system spelunker and expert Howard Oakley on his Eclectic Light Company blog. 

Malware can spread by hopping from computer to computer via USB. An infected computer will load the malware onto any thumb drive the user attaches, and then it will wait until it's connected to another machine. 

But it can also be built into cables and chargers. That's right. If you plug your phone into a charger at the local coffee shop, that charger could be delivering its payload while you order your ridiculously complicated non-coffee beverage. 

It can even be built into a Lightning cable, which is a good reason only to buy cables from reputable vendors and ensure you're not getting a counterfeit. 

Ventura's new Accessory Security feature can help with this, but once you give a connected USB device your permission, you still might get infected. The feature also doesn't protect against devices connected to approved USB hubs, power adapters, or displays. 

On the other hand, if you're a character in a TV show or a movie, and an adversary tries to install some tracking software on your computer via a USB stick, they will be stymied. As long as the scriptwriters remembered to install the latest version of macOS on your imaginary computer.