Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Thursday January 03 2019, @01:15AM   Printer-friendly
from the both dept.

USB-C could soon offer protection against nefarious devices:

The program defines the optimal cryptographic-based authentication for USB-C devices and chargers. Any host system using this protocol will be able to confirm the authenticity of a device or charger, including descriptors and capabilities, right at the moment a connection is made. So say, for example, you're concerned about charging your phone at a public terminal. Your phone could implement a policy only allowing a charge from certified chargers. A company, meanwhile, could set a policy for its PCs, giving them access only to verified USB storage devices.

At this stage, the program is simply a recommendation -- there's no mandatory implementation required, but its creation certainly points to future security requirements for USB-C, which USB-IF president Jeff Ravencraft believes is "the single cable of the future."

USB Type-C Authentication Program gets started, sounds like it's effectively DRM for Type-C devices:

Today the USB-IF, the non-profit behind the USB standard's marketing and specifications, revealed the formal launch of its "USB Type-C™ Authentication Program," originally announced back in 2016. The optional program "defines cryptographic-based authentication for USB Type-C chargers and devices." If that sounds like a thinly veiled euphemism for hardware DRM to you, that's because it is.

The new authentication mechanism "empowers" vendors to "protect" us customers against "non-compliant USB chargers." Bad chargers and cables are/were a legitimate problem for the USB Type-C ecosystem (praise be to Benson), but the USB-IF's program allows for vendors to use this means of accessory certification for anything they choose. This isn't just a standard set by the USB-IF for cables and chargers to meet, any OEM can use it to bake-in support for only "approved" devices if they like. Remember when Apple clamped down on third-party hardware with its MFi certification program? Now USB-C-wielding OEMs can get in on some of that licensing action, and better, it's being done in the name of security.

In addition to pushing PD compliance, the nascent standard is being spun as a security enhancement, protecting us consumers from malicious firmware and hardware attached to USB devices. But even the marketing PR can't help but point out how useful it will be for OEMs in other, less consumer-friendly ways: "Using this protocol, host systems can confirm the authenticity of a USB device, USB cable or USB charger, including such product aspects as the capabilities and certification status."

Previously: USB Type-C Authentication Protocol Announced

Related: One Manufacturer's "Fundamentally Dangerous" USB Type-C Cable Fries Hardware
Amazon Bans Non-Compliant USB Type-C Cables


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2, Interesting) by Anonymous Coward on Thursday January 03 2019, @02:24AM (14 children)

    by Anonymous Coward on Thursday January 03 2019, @02:24AM (#781335)

    > you're concerned about charging your phone at a public terminal.

    What are the possible concerns with this?
    + Over/reverse voltage possibly damaging your device -- build a charging cable with overvoltage protection.
    + Rogue public terminal tries to suck the data out of your phone -- build a charging cable that only looks at the power pins in the connector, ignoring the data pins, and make sure that any signal that is superimposed on the charging pins is filtered in the connector.

    Are there other (edge) cases I've missed?

    Starting Score:    0  points
    Moderation   +2  
       Interesting=2, Total=2
    Extra 'Interesting' Modifier   0  

    Total Score:   2  
  • (Score: 2) by takyon on Thursday January 03 2019, @02:54AM (11 children)

    by takyon (881) <reversethis-{gro ... s} {ta} {noykat}> on Thursday January 03 2019, @02:54AM (#781345) Journal

    Are there any such cables (charging-only cable with overvoltage protection)? Every (microUSB) cable I've ever used has had data transmission capability. Can a 100 W Type-C cable comply with the spec if it can't transmit data?

    Finally, even if there was a charge-only Type-C cable, I bet that very few people would buy it. Just as very few people will anticipate any sort of electrical risk from a shoddy cable or security risk at an airport charger terminal.

    --
    [SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
    • (Score: 1, Insightful) by Anonymous Coward on Thursday January 03 2019, @03:51AM

      by Anonymous Coward on Thursday January 03 2019, @03:51AM (#781369)

      Maybe there should be such cables? Not be a huge market, but folks like those here might buy them in enough quantity to make a business case. If not a whole cable, perhaps a little block that has suitable USB in and out connectors, and only passes conditioned power.

    • (Score: 4, Informative) by Anonymous Coward on Thursday January 03 2019, @06:02AM (6 children)

      by Anonymous Coward on Thursday January 03 2019, @06:02AM (#781402)

      They are colloquially known as "USB condoms" and have beeen around for awhile.
      https://int3.cc/products/usbcondoms [int3.cc]
      Not sure if they make special cables or if any support USB-C yet.

      • (Score: 3, Interesting) by takyon on Thursday January 03 2019, @06:32AM (3 children)

        by takyon (881) <reversethis-{gro ... s} {ta} {noykat}> on Thursday January 03 2019, @06:32AM (#781405) Journal

        No Type-C cable or FAQ item about it on the new site: http://syncstop.com/ [syncstop.com]

        --
        [SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
        • (Score: 0) by Anonymous Coward on Thursday January 03 2019, @10:33AM (2 children)

          by Anonymous Coward on Thursday January 03 2019, @10:33AM (#781426)

          If I'm reading https://en.wikipedia.org/wiki/USB-C#USB_Power_Delivery [wikipedia.org] and https://en.wikipedia.org/wiki/USB_Power_Delivery#Power_Delivery_(PD) [wikipedia.org] correctly, a control channel (CC) pin is required to negotiate more than 15W, but the data pins (USB2 D+/- and USB3 TX/RX pairs) are not required for power delivery. Though the CC pin transmits data, in a sense? So, maybe they could build something like a condom with a tiny hole in it...

          • (Score: 0) by Anonymous Coward on Thursday January 03 2019, @04:29PM (1 child)

            by Anonymous Coward on Thursday January 03 2019, @04:29PM (#781523)

            15W ought to be enough for anyone (with apologies to 640K & Bill Gates).

            • (Score: 2) by DannyB on Thursday January 03 2019, @08:52PM

              by DannyB (5839) Subscriber Badge on Thursday January 03 2019, @08:52PM (#781679) Journal

              45W for a laptop.

              But the laptop USB-C charger looks like a phone USB-C charger. So you could mistake them. And nothing bad happens when you do.

              Maybe eventually, if there is no *real* cost issue, it might be simpler and cheaper to only make laptop (45W) chargers -- even for phones. The phone will still negotiate for what it wants, even if the charger can supply more.

              --
              People today are educated enough to repeat what they are taught but not to question what they are taught.
      • (Score: 2) by hendrikboom on Thursday January 03 2019, @05:54PM (1 child)

        by hendrikboom (1125) Subscriber Badge on Thursday January 03 2019, @05:54PM (#781580) Homepage Journal

        That condom seems to block the data pins, but does it block high-voltage power transients, or even just plain high voltages?

        • (Score: 2) by toddestan on Friday January 04 2019, @04:37AM

          by toddestan (4982) on Friday January 04 2019, @04:37AM (#781907)

          Looks to be pretty simple. There's 3 surface mount resistors on it. My guess they are there to fool certain devices into charging as some devices look for a resistance across the data pins to know whether they are plugged into a dumb charger.

          I made one a while ago by basically slicing open an extension cable, cutting the data wires, then wrapping it back up with electrical tape. I forgot how exactly I determined which wire was which - I might have taken a guess that the red and black were power and cut the other lines and was correct. Looked exactly how you might expect, but it did the job. Seems I lost track of it at some point though.

    • (Score: 2) by Nuke on Thursday January 03 2019, @10:19AM (2 children)

      by Nuke (3162) on Thursday January 03 2019, @10:19AM (#781424)

      Can a 100 W Type-C cable comply with the spec if it can't transmit data?

      Can a breakfast be called spam egg and chips without the spam? No, so call it something else.

      There was a time when charging did not get mixed in with data. Phones were sold with a charging cable with a jack-type connector with just a + and - power voltage. You provided your own USB data cable if you wanted to transfer data - no problem, I have a box full of them. USB connections were never originally intended for power charging, but manufacturers hijacked them for such to save a few pence on a separate charging jack.

      • (Score: 0) by Anonymous Coward on Thursday January 03 2019, @10:39AM (1 child)

        by Anonymous Coward on Thursday January 03 2019, @10:39AM (#781427)

        USB connections were never originally intended for power charging, but manufacturers hijacked them for such to save a few pence on a separate charging jack.

        Manufacturers were more than content to have proprietary ports requiring device-specific chargers until they were forced to pick something and stick with it. They picked USB as a least-bad option.

        • (Score: 2) by DannyB on Thursday January 03 2019, @05:06PM

          by DannyB (5839) Subscriber Badge on Thursday January 03 2019, @05:06PM (#781551) Journal

          The days of having a separate, special charger for every device were sad. Very sad. Terrible.

          The state of Universal Stupid Bus is much better, despite any warts it may have.

          I don't have a problem with chargers and devices being able to negotiate a charging current and voltage. It seems to work pretty well. I can use my laptop charger on my phone. I can use my phone charger on my laptop -- but the laptop warns that it will not charge fast.

          I would like to apply for a research grant for staff, laboratory and equipment for an experiment: Take a USB-C to C cable, and connect two wall chargers together and plug them both in.

          --
          People today are educated enough to repeat what they are taught but not to question what they are taught.
  • (Score: 2) by mobydisk on Thursday January 03 2019, @05:29PM

    by mobydisk (5472) on Thursday January 03 2019, @05:29PM (#781563)

    I think you got them.

    Rogue public terminal tries to suck the data out of your phone

    My phone does not negotiate PTP, MTP, or USB mass storage until I select it to do so. Is that not how all devices work today? I don't see a need for a hardware solution to that one.

    And of course, a software solution like is proposed in the article doesn't help against a malicious charger damaging your device, since as soon as the cable is connected it is too late.

  • (Score: 2) by pipedwho on Friday January 04 2019, @04:04AM

    by pipedwho (2032) on Friday January 04 2019, @04:04AM (#781894)

    Of which this 'cable crypto' does nothing. I can still cannibalise a charger with a valid chip, and add some extra overvoltage zapping circuitry to it, so your device authenticates successfully, then boom!

    Or it authenticates successfully, and if it for some reason is allowing general access to peripherals, I can now suck you data off the public charging point.

    The only things as you've pointed out that help with those problems are devices that don't allow data transfer when the user hasn't authorised it on the device itself, and voltage protection on the charger input circuitry in the device.