End to rogue USB-C and fried devices: New spec pulls plug on bogus chargers, malicious USBs
USB Type-C authentication will let hosts such as PCs, tablets, and smartphones confirm the authenticity of a charger or cable.
A new specification for USB Type-C shows how the tech industry hopes to use cryptographic authentication to keep substandard USB chargers and devices from damaging laptops.
The spec could be the tool that USB-IF, the group behind USB, needs to prevent non-compliant, reversible USB-Type C cables and adapters from causing harm to hardware.
As a recent study showed, along with more devices that support USB Type-C, there's been a proliferation of dubious cables and chargers, some of which can fry a connected device.
Amazon's ban on the sale of USB-C products that don't comply with USB-IF specification will go some way to preventing non-compliant offerings reaching consumers. But if consumers do get their hands on one, there's no technical measure to prevent them damaging their devices once plugged in.
The USB Type-C authentication, announced at the Intel Developer Forum in Shenzhen, China, may help achieve this by allowing hosts such as PCs, tablets, and smartphones to confirm the authenticity of a charger or cable.
It also promises a way for enterprises to set a policy for corporate PCs to reject unapproved Type-C USB thumb drives by only allowing USB storage devices that have been verified and signed by the IT team.
Thus the feature could address a persistent weak spot in enterprise security, stemming from the willingness of people to stick any USB drive they find into their machines. While security pros have long warned of the potential for unknown USB drives to infect a PC with malware, curiosity still often gets the better of people.
A recent study by researchers at Google, the University of Illinois. and Michigan University found that most people plugged an untrusted USB drive into their computers within a few hours of picking them up off the ground at various locations on a university campus.
A third component of the specification deals with the authenticity of USB power delivery products. A smartphone owner at an airport can set a policy that restricts the phone to charging only from certified USB power delivery products.
The specification is aiming for 128-bit security for all cryptographic methods. One major concern USB-IF has is an attacker extracting the secret keys from any product.
"In a worst case scenario, the extraction of even one secret key could allow an attacker to clone products in unlimited volume. This or similar scenarios would degrade trust in the whole USB Type-C Authentication ecosystem," it notes in the specification and therefore recommends devices makers implement tamper-resistant storage of private keys.
It also warns against using the same private keys across multiple products.
According to Ars Technica, USB-IF envisages that host OEMs could issue firmware and software updates to support the new specification, while adapters, cables, and other accessories that can't be updated to support the standard will need to be replaced with accessories that do.