A new security feature in Apple’s upcoming macOS 13 Ventura will automatically block new USB-C devices from communicating with the operating system until the accessory can be approved by the user.
Apple dropped details of the new security feature in its release notes, which appears to be aimed at protecting newer Apple laptops that run its bespoke M1 or M2 chips from potentially malicious accessories.
According to Apple’s description, the feature will be enabled by default and will require the user to approve a USB-C accessory before it can talk to the operating system — essentially an on-screen pop-up asking the user for permission. Apple says this doesn’t apply to power adapters, standalone displays, and connections to an approved hub — and devices can still charge even if you don’t approve the accessory. Apple says that accessories that are already connected will automatically work when updating to the new macOS software.
The move to restrict USB-C devices by default is a tacit nod to an evolving range of threats that pose a risk to Apple users. Researchers have shown it’s possible to hide malicious implants in regular-looking charging cables that can hijack computers to laptop-bricking USB devices that are designed to permanently fry a computer’s innards.
The new macOS feature is also near-identical to USB Restricted Mode that Apple introduced in iOS 12, which prevents unauthorized accessories and cables from accessing the data on iPhones and iPads without the owner’s permission, at a time where law enforcement were using phone-cracking devices to skirt Apple’s device security.
Here’s the full description from the release notes (as first spotted by The Verge):
On portable Mac computers with Apple silicon, new USB and Thunderbolt accessories require user approval before the accessory can communicate with macOS for connections wired directly to the USB-C port. This doesn’t apply to power adapters, standalone displays, or connections to an approved hub. Devices can still charge if you choose Don’t Allow.
You can change the security configuration in System Settings > Security and Privacy > Security. The initial configuration is Ask for new accessories. Configuring an accessibility Switch Control sets the policy to always allow accessory use. Approved devices can connect to a locked Mac for up to three days.
Accessories attached during software update from prior versions of macOS are allowed automatically. New accessories attached prior to rebooting the Mac might enumerate and function, but won’t be remembered until connected to an unlocked Mac and explicitly approved.