Dubbed OMG Cables, these new variants are more capable than their counterparts. According to their creator, payloads can be triggered from over one mile away. Attackers can use them to log keystrokes and change keyboard mappings. There is also a geofencing feature, a kill switch and the ability to forge the identity of specific USB devices, like those that can leverage a specific vulnerability.
While it’s unlikely us random, generic people will ever be the target of tools like this, there’s no doubt in my mind they’re being used all over the world to monitor dissidents, spy on competing companies, and so on.
USB C is “generally” safe… however, type-C is not.
The same* cable can carry thunderbolt 3, which is essentially an external PCI device with DMA access. I think there have been some patches to address that, but one would not know whether those are applied on the current system.
And Apple famously hid an ARM based airplay server inside their video cables: https://panic.com/blog/the-lightning-digital-av-adapter-surprise/ . So instead of adding basic DisplayPort/VGA signals in the phones, they decided to provide extensive capabilities and responsibilities to the cable side.
So, even though plain old USB is generally safe, USB looking cables can be really dangerous. And this does not include plain old autorun attacks, or general vulnerabilities.
This could be “solved” by removing direct hardware access from cable protocols (probably requires throwing away lots of accessories), and the OS UI showing explicit list of devices detected, especially for new cables. (i.e.: “You have just plugged in a charger, network adapter, display and keyboard. Would you like to continue?” would be enough to throw of many attacks)