The USB Implementers Forum today announced the launch of a USB Type-C Authentication program, which is designed to create a cryptographic-based authentication definition for USB-C chargers and devices.
This is important because USB-C Authentication will provide protection from malicious firmware/hardware in USB-C devices. There are multiple USB-based attacks that are out in the wild and are able to do things like keystroke injection, installing backdoors, emulating mouse movements, logging data, hijacking traffic, infecting machines with viruses, and more.
In addition to protecting against malicious hardware, the program will keep host systems safe from non-compliant USB chargers that could potentially cause harm.
With the USB-C Authentication protocol, host machines will be able to confirm the authenticity of a USB-C device, cable, or charger. This confirmation happens right when a connection is made before inappropriate power or data can be transferred.
The USB-IF has outlined the characteristics of the USB-Type-C Authentication Program:
- A standard protocol for authenticating certified USB Type-C chargers, devices, cables and power sources
- Support for authenticating over either USB data bus or USB Power Delivery communications channels
- Products that use the authentication protocol retain control over the security policies to be implemented and enforced
- Relies on 128-bit security for all cryptographic methods
- Specification references existing internationally-accepted cryptographic methods for certificate format, digital signing, hash and random number generation
Manufacturers who create devices that use USB-C will be able to implement the new authentication protocol into their devices to protect consumers. There is no requirement to implement support for USB-C authentication at this time, with protocol provided as an option to OEMs.
Though Apple has not commented on the release of the program, the Cupertino company will likely be one of the companies to adopt USB-C authentication protocols in the future given its focus on security.
Top Rated Comments
* will there be a central certification authority? Or can any manufacturer create their own keys? Can a manufacturer like Apple decide to whitelist or blacklist certain devices?
* how much control does the user get? Does the spec expect the OS to present a dialog, like iOS 7 and newer do for Lightning devices, for the user to confirm that the device is trustworthy? If so, has there been usability research on this, particularly regarding the risk of making such a dialog useless as the user is trained to always accept?
Raises tons of questions about the management and organisation around it, though. Just to mention a few: Who decides what is ‘safe’ and for whom? Who have authority to blacklist, based on which criterias and on which terms?