Slashdot Mirror

← Back to Stories (view on slashdot.org)

USB Type-C Authentication Program Launched (newatlas.com)

Posted by msmash on from the bolstering-security dept.

With the arrival of USB-C a few years back, plugging into laptops, tablets and smartphones became even easier than before. But there are potential security risks. The USB Type-C Authentication Program launched today aims to address such issues. From a report: The new protocol from the USB Implementers Forum (USB-IF) can be used to validate the authenticity of a cable, charger or hardware at the moment of connection, and stop attacks in their tracks. The USB-IF has chosen DigiCert to operate registrations and certificate authority services for the new specification, which makes use of 128-bit cryptographic-based authentication for certificate format, digital signing, hash and random number generation.

"USB Type-C Authentication gives OEMs the opportunity to use certificates that enable host systems to confirm the authenticity of a USB device or USB charger, including such product aspects as the descriptors, capabilities and certification status," said DigiCert in a press release. "This protects against potential damage from non-compliant USB chargers and the risks from maliciously embedded hardware or software in devices attempting to exploit a USB connection."

7 of 133 comments (clear)

  1. Lovely. by Anonymous Coward · · Score: 5, Insightful

    So this is going to enable Apple and their ilk to even more aggressively force people to buy their own craptastic cables.
    Good intentions, but I know exactly how this will be used.

    Mark my words, it will be used to oppress the user, not protect them.

  2. Authorized Devices Indeed by Mia+Yuuki · · Score: 5, Insightful

    I can see it now. I am sorry, the certificate on your charging cables does not match the approved list on the phone and thus you need to order a new charging cable from the vendor. Oh, and if you persist in trying to use the non-approved cable from Amazon, we will be forced to void your warranty. Remember kids, only use Vendor OEM USB Devices. Everyone else is just a crook.

    1. Re:Authorized Devices Indeed by Anonymous Coward · · Score: 5, Insightful

      Worse: "The certificate for your otherwise authorized power supply has now expired."

    2. Re:Authorized Devices Indeed by mysidia · · Score: 4, Insightful

      On the other hand it can be used to prevent that rogue USB flash drive you found on the parking lot from installing a key logger in your computer.

      Not at all. That Rogue USB flash drive will still be able to contain installable malware. Nothing about the authentication standard changes that.

    3. Re:Authorized Devices Indeed by sexconker · · Score: 4, Insightful

      Devices were putting themselves in danger by not having basic electrical protection on the ports. In 90s, this was such a common (and commonly solved) problem that the Tawainese motherboard manufacturers listed all sorts of per-USB-port short, over voltage, over current, etc. protections on the box.

      It became a problem again with USB 3 because the first players to the market with USB controllers didn't learn their lesson from the USB 1.0/1.1 days. There's absolutely no reason a bad USB cable should be able to kill an entire device. At worst, it should kill a single port. Ideally, it would have a replaceable/resettable fuse so you don't even lose the port.

  3. Re:This protects additional revenue streams by mysidia · · Score: 3, Insightful

    As for malicious attacks, no certificate is going to protect the port against a brute force "fry the port" chargers.

    Malicious actors are likely going to find a way of cloning the certificate off a legitimate USB Host and simply re-using that identity.

  4. Re:Why the cable? by willy_me · · Score: 3, Insightful

    The USB Type-C standard already mandates an active cable if you want to utilize the full 5A that the standard can supply. It might not have information on the condition of the cable - but nothing can prevent users from being stupid. It is just another level of security which, with all the other protections, helps prevent damage when power traverses USB.

    It is easy to add an IC to a USB connector - they are basically designed for it. See this part to see how it is typically done. So adding the ability to verify the cable does make sense for workplaces that require the security. It is just too easy to, for example, add a keylogger to a cable.

    No computer manufacturers would ever get away with requiring authenticated cables. Apple might try but the public outcry would be immense. That being said - having it as a bios setting is exactly what a certain subset of users require.