USB Type-C Authentication Protocol To Allow Blocking Of Uncertified And Malicious USB Devices

By Lucian Armasu
published

The USB Promoter Group announced a new cryptographic authentication protocol for USB Type-C devices that should put an end to faulty as well as malicious Type-C chargers and devices.

The USB Type-C standard was designed for both charging and data transfers as a convenience feature to allow people to carry fewer cables with them and to help device manufacturers cut costs.

However, once the two were combined, the risk that people would become infected by plugging their laptops and smartphones with strange USB Type-C chargers or devices also increased. The USB devices could have embedded malware, which could infect host devices. The chargers could also be uncertified and use lower quality standards, which could risk damaging the host notebooks or smartphones.

The new authentication protocol for USB Type-C aims to fix both problems by allowing users to set policies that would restrict their devices to using only USB chargers that are compliant with the standard or automatically block them until their authenticity has been confirmed. The verification will be done right when the cable is connected, before any power or data is transmitted to the host device.

The new authentication solution includes several key characteristics to achieve that goal:

A standard protocol for authenticating certified USB Type-C Chargers, devices, cables and power sourcesSupport for authenticating over either USB data bus or USB Power Delivery communications channelsProducts that use the authentication protocol retain control over the security policies to be implemented and enforcedRelies on 128-bit security for all cryptographic methodsSpecification references existing internationally-accepted cryptographic methods for certificate format, digital signing, hash and random number generation

It’s not yet clear if this solution also stops the BadUSB vulnerability uncovered two years ago at the BlackHat hacker conference. BadUSB allows malware to infect USB devices, which are then almost impossible to clean up, because the malware embeds itself into the firmware of the device. If the infected USB devices are then plugged into other systems, those systems can also become infected, thus spreading the infection. We’ve contacted the USB Implementers Forum for further clarification about this issue.

Consumers won't have to look for anything new in the new USB Type-C devices they buy, but the manufacturers of such devices will have to update them to the USB Power Delivery 3.0 specification.

Lucian Armasu is a Contributing Writer for Tom's Hardware. You can follow him at @lucian_armasu. 

Follow us on FacebookGoogle+, RSS, Twitter and YouTube.

Lucian Armasu
Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
Topics
Security
13 Comments Comment from the forums
  • IspotU
    That is interesting, but still a little too soon for me to get on board. I am looking forward to a mass implementation of C. It would be nice to not have to fight so much with USB devices in small cramped spaces.
    Reply
  • Quixit
    Seeing as we already have a raft of USB-C devices out now isn't it a bit too late?
    Reply
  • InvalidError
    DRM for USB cables and power adapters, now they are going to cost another $5-15 extra simply because they eliminated generic competition.
    Reply
  • jellysalt
    While a cable is a passive part, how to use 128-bit security cryptographic methods to authenticate it ?
    Reply
  • how the hell plugging a usb device can spread malicious malware
    Reply
  • captaincharisma
    how the hell plugging a usb device can spread malicious malware

    every USB device has a memory chip or has room for a memory chip that can have data stored on it

    is this being too paranoid? yes. is it possible? you bet
    Reply
  • targetdrone
    Why hasn't t this been a problem with "out dated" mico-USB devices?
    Reply
  • jojesa
    Why hasn't t this been a problem with "out dated" mico-USB devices?
    Previous USB solutions were simpler and less complicated.
    Now USB Type-C charges and devices have chips and besides power it can support bi-directional power, video (DisplayPort, HDMI, VGA), Thunderbolt and also replace all other USB formats (Type-A, Type-B, Mini-USB, Micro-USB), Ethernet, etc.
    Chips with data are embedded USB type-C devices and besides the danger on the data on them, cheaply made devices could draw too much power from a device connected to it and fry it or blow it up in your face.
    Until USB Type-C, USB devices did not have data chips on them nor draw such amount of power from devices like laptops.
    Reply
  • targetdrone
    And what's to stop Evil China/Russia-Corp from using a legit certification to manufacture 100s of 1000s of malware infected chargers they plan to sell on Ebay? Will our USB-C devices need constant security updates to know which manufacture certificates are invalided. Good luck with that if you running a Mobile-Carrier version of android.
    Reply
  • crystaldragon141
    DRM for USB cables and power adapters, now they are going to cost another $5-15 extra simply because they eliminated generic competition.
    USB devices not cables. The cables have nothing to do with it.
    Reply