The USB Promoter Group announced a new cryptographic authentication protocol for USB Type-C devices that should put an end to faulty as well as malicious Type-C chargers and devices.
The USB Type-C standard was designed for both charging and data transfers as a convenience feature to allow people to carry fewer cables with them and to help device manufacturers cut costs.
However, once the two were combined, the risk that people would become infected by plugging their laptops and smartphones with strange USB Type-C chargers or devices also increased. The USB devices could have embedded malware, which could infect host devices. The chargers could also be uncertified and use lower quality standards, which could risk damaging the host notebooks or smartphones.
The new authentication protocol for USB Type-C aims to fix both problems by allowing users to set policies that would restrict their devices to using only USB chargers that are compliant with the standard or automatically block them until their authenticity has been confirmed. The verification will be done right when the cable is connected, before any power or data is transmitted to the host device.
The new authentication solution includes several key characteristics to achieve that goal:
- A standard protocol for authenticating certified USB Type-C Chargers, devices, cables and power sources
- Support for authenticating over either USB data bus or USB Power Delivery communications channels
- Products that use the authentication protocol retain control over the security policies to be implemented and enforced
- Relies on 128-bit security for all cryptographic methods
- Specification references existing internationally-accepted cryptographic methods for certificate format, digital signing, hash and random number generation
It’s not yet clear if this solution also stops the BadUSB vulnerability uncovered two years ago at the BlackHat hacker conference. BadUSB allows malware to infect USB devices, which are then almost impossible to clean up, because the malware embeds itself into the firmware of the device. If the infected USB devices are then plugged into other systems, those systems can also become infected, thus spreading the infection. We’ve contacted the USB Implementers Forum for further clarification about this issue.
Consumers won't have to look for anything new in the new USB Type-C devices they buy, but the manufacturers of such devices will have to update them to the USB Power Delivery 3.0 specification.
Lucian Armasu is a Contributing Writer for Tom's Hardware. You can follow him at @lucian_armasu.