USB-C Authentication Program Launches to Offer Future Protection Against Malicious Hardware

The USB Implementers Forum today announced the launch of a USB Type-C Authentication program, which is designed to create a cryptographic-based authentication definition for USB-C chargers and devices.

This is important because USB-C Authentication will provide protection from malicious firmware/hardware in USB-C devices. There are multiple USB-based attacks that are out in the wild and are able to do things like keystroke injection, installing backdoors, emulating mouse movements, logging data, hijacking traffic, infecting machines with viruses, and more.

In addition to protecting against malicious hardware, the program will keep host systems safe from non-compliant USB chargers that could potentially cause harm.

With the USB-C Authentication protocol, host machines will be able to confirm the authenticity of a USB-C device, cable, or charger. This confirmation happens right when a connection is made before inappropriate power or data can be transferred.

The USB-IF has outlined the characteristics of the USB-Type-C Authentication Program:

A standard protocol for authenticating certified USB Type-C chargers, devices, cables and power sources
Support for authenticating over either USB data bus or USB Power Delivery communications channels
Products that use the authentication protocol retain control over the security policies to be implemented and enforced
Relies on 128-bit security for all cryptographic methods
Specification references existing internationally-accepted cryptographic methods for certificate format, digital signing, hash and random number generation

Manufacturers who create devices that use USB-C will be able to implement the new authentication protocol into their devices to protect consumers. There is no requirement to implement support for USB-C authentication at this time, with protocol provided as an option to OEMs.

Though Apple has not commented on the release of the program, the Cupertino company will likely be one of the companies to adopt USB-C authentication protocols in the future given its focus on security.

Tag: USB-C

Top Rated Comments

(View all)

randyhudson

14 months ago

No more 3rd-party chargers in 3....2...

Rating: 4 Votes

SoN1NjA

14 months ago

Sounds like DRM

Rating: 3 Votes

mcbumbersnazzle

14 months ago

Great apple will now use this to block any accessories that aren't "made for mac" and forcing people to buy their $80 dongle smh

Rating: 3 Votes

chucker23n1

14 months ago

This is rather short on details.

* will there be a central certification authority? Or can any manufacturer create their own keys? Can a manufacturer like Apple decide to whitelist or blacklist certain devices?
* how much control does the user get? Does the spec expect the OS to present a dialog, like iOS 7 and newer do for Lightning devices, for the user to confirm that the device is trustworthy? If so, has there been usability research on this, particularly regarding the risk of making such a dialog useless as the user is trained to always accept?

Rating: 3 Votes

nwcs

14 months ago

I’m surprised it took this long for anything like this to be announced. It should have been announced years ago. The overall risk is still quite small but eventually I can see this being mandatory for any plug and play device.

Rating: 3 Votes

lunarworks

14 months ago

As long as it's optional, this is boon for anyone security conscious. Especially if it applies to Thunderbolt. There's all kinds of wild malicious tricks that can be performed over USB these days, and anything that can potentially lock them out will be welcome.

Rating: 2 Votes

coolfactor

14 months ago

This could've been one reason why Lightning was developed and held on for so long. With this new protocol, we could see Apple move entirely to USB-C. I'd miss Lightning, but we will adapt.

Rating: 2 Votes

HenrikWivel

14 months ago

Hope the protocol will be used to enhance security and not to block 3. party devices from working. Or even worse, use it for throttling or limiting functionality.

Raises tons of questions about the management and organisation around it, though. Just to mention a few: Who decides what is ‘safe’ and for whom? Who have authority to blacklist, based on which criterias and on which terms?

Rating: 2 Votes

MrUNIMOG

13 months ago

Lead: from the dictionary, "BRITISH a wire that conveys electric current from a source to an appliance, or that connects two points of a circuit together."

Dumb Connector: n conductors in, arranged in a particular plug format; n conductors out, also arranged in a particular plug format. No electronic signal processing in the lead at all. Just moving electrons along separate conductors between devices. All the processing to be done in the devices themselves, rather than having some processing done in the lead

The only reason, in this case, for putting electronics into the cable (yes, to be pedantic, into one or both of the plugs), is to be able to dictate terms for licensees to be able to manufacture and sell cables that some fee has been paid for.

No. Safety of USB Power Delivery necessitates putting electronics into the cable. You'd not want your 15" MBP trying to draw over 4 amps through some thin cable rated for 500 mA... That's why the cable has to be part of USB PD negotiation.

Rating: 1 Votes

Arbuthnott

14 months ago

I don't know what you mean by "leads".

USB was never a particularly dumb connector. It's gotten more complex with type C, but type A/B was hardly dumb, and BadUSB ('https://en.wikipedia.org/wiki/Firmware#Security_risks') attacks were possible with those.

I can sort of see making it more configurable in an MDM environment, and probably a developer mode where you opt out entirely so that you can test self-developed hardware. But other than that, odds are this will be mandatory on macOS and Windows within a few years.