The US government rerouted CISCO routers to a factory that tampered with them before sending them to their final destinations. There's no reason to believe this stopped or isn't still being done in similar ways. It doesn't have to be a USB-C dock, it could be anything.
We don’t talk about the Snowden leaks enough. It’s truly shocking what was in there and we’ve all uttered a collective “meh”. I don’t know what SHOULD be done, or could be done, but it’s odd how rarely that data is incorporated into popular perception of the government and how much rarer still it is that we discuss it and contemplate what has been taking place in the intervening years.
These are targeted attacks by a nation state. That's not my threat model. I'm just trying to be reasonably secure against ordering a name brand device and having it exfil secrets.
Imho, there's a big difference between supply chain attacks on core Cisco routers vs USB hubs.
These attacks are not easy or cheap, and by their very nature need to be deployed in small % of total installs (as every use increases the likelihood of discovery).
Criminal organizations interested in ransoming details might be interested in casting a wide net, but intelligence services less so.
The US government rerouted CISCO routers to a factory that tampered with them before sending them to their final destinations. There's no reason to believe this stopped or isn't still being done in similar ways. It doesn't have to be a USB-C dock, it could be anything.