USB-C could soon offer protection against nefarious devices:
The program defines the optimal cryptographic-based authentication for USB-C devices and chargers. Any host system using this protocol will be able to confirm the authenticity of a device or charger, including descriptors and capabilities, right at the moment a connection is made. So say, for example, you're concerned about charging your phone at a public terminal. Your phone could implement a policy only allowing a charge from certified chargers. A company, meanwhile, could set a policy for its PCs, giving them access only to verified USB storage devices.
At this stage, the program is simply a recommendation -- there's no mandatory implementation required, but its creation certainly points to future security requirements for USB-C, which USB-IF president Jeff Ravencraft believes is "the single cable of the future."
USB Type-C Authentication Program gets started, sounds like it's effectively DRM for Type-C devices:
Today the USB-IF, the non-profit behind the USB standard's marketing and specifications, revealed the formal launch of its "USB Type-C™ Authentication Program," originally announced back in 2016. The optional program "defines cryptographic-based authentication for USB Type-C chargers and devices." If that sounds like a thinly veiled euphemism for hardware DRM to you, that's because it is.
The new authentication mechanism "empowers" vendors to "protect" us customers against "non-compliant USB chargers." Bad chargers and cables are/were a legitimate problem for the USB Type-C ecosystem (praise be to Benson), but the USB-IF's program allows for vendors to use this means of accessory certification for anything they choose. This isn't just a standard set by the USB-IF for cables and chargers to meet, any OEM can use it to bake-in support for only "approved" devices if they like. Remember when Apple clamped down on third-party hardware with its MFi certification program? Now USB-C-wielding OEMs can get in on some of that licensing action, and better, it's being done in the name of security.
In addition to pushing PD compliance, the nascent standard is being spun as a security enhancement, protecting us consumers from malicious firmware and hardware attached to USB devices. But even the marketing PR can't help but point out how useful it will be for OEMs in other, less consumer-friendly ways: "Using this protocol, host systems can confirm the authenticity of a USB device, USB cable or USB charger, including such product aspects as the capabilities and certification status."
Previously: USB Type-C Authentication Protocol Announced
Related: One Manufacturer's "Fundamentally Dangerous" USB Type-C Cable Fries Hardware
Amazon Bans Non-Compliant USB Type-C Cables
(Score: 4, Interesting) by toddestan on Friday January 04 2019, @04:47AM (2 children)
Do you trust it though? Does the phone actually deny access to the computer, or does it just tell the computer not to peek?
Kind of write the write-protect tabs on floppy disks. The stupid plastic tab you flip doesn't protect a damn thing. It's up to the drive to read the position of the tab and honor its position. There's nothing actually stopping the drive from writing to the disk if it wanted to.
(Score: 1, Funny) by Anonymous Coward on Friday January 04 2019, @06:01AM
What’s a floppy disk?
(Score: 2) by mobydisk on Monday January 07 2019, @08:40PM
The computer does not even see the device at all. Windows does not play the "badoop" sound indicating a device was connected and nothing appears in the control panel. I do not believe USB supports a protocol that says "Please don't copy my files." It's up to the device to advertise the capability and permit the negotiation.