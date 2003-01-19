from the both dept.
USB-C could soon offer protection against nefarious devices:
The program defines the optimal cryptographic-based authentication for USB-C devices and chargers. Any host system using this protocol will be able to confirm the authenticity of a device or charger, including descriptors and capabilities, right at the moment a connection is made. So say, for example, you're concerned about charging your phone at a public terminal. Your phone could implement a policy only allowing a charge from certified chargers. A company, meanwhile, could set a policy for its PCs, giving them access only to verified USB storage devices.
At this stage, the program is simply a recommendation -- there's no mandatory implementation required, but its creation certainly points to future security requirements for USB-C, which USB-IF president Jeff Ravencraft believes is "the single cable of the future."
USB Type-C Authentication Program gets started, sounds like it's effectively DRM for Type-C devices:
Today the USB-IF, the non-profit behind the USB standard's marketing and specifications, revealed the formal launch of its "USB Type-C™ Authentication Program," originally announced back in 2016. The optional program "defines cryptographic-based authentication for USB Type-C chargers and devices." If that sounds like a thinly veiled euphemism for hardware DRM to you, that's because it is.
The new authentication mechanism "empowers" vendors to "protect" us customers against "non-compliant USB chargers." Bad chargers and cables are/were a legitimate problem for the USB Type-C ecosystem (praise be to Benson), but the USB-IF's program allows for vendors to use this means of accessory certification for anything they choose. This isn't just a standard set by the USB-IF for cables and chargers to meet, any OEM can use it to bake-in support for only "approved" devices if they like. Remember when Apple clamped down on third-party hardware with its MFi certification program? Now USB-C-wielding OEMs can get in on some of that licensing action, and better, it's being done in the name of security.
In addition to pushing PD compliance, the nascent standard is being spun as a security enhancement, protecting us consumers from malicious firmware and hardware attached to USB devices. But even the marketing PR can't help but point out how useful it will be for OEMs in other, less consumer-friendly ways: "Using this protocol, host systems can confirm the authenticity of a USB device, USB cable or USB charger, including such product aspects as the capabilities and certification status."
A Google engineer has been testing USB Type-C cables, which can provide power to devices, and has found one that destroys connected hardware:
Googler Benson Leung has been on a quest to try out the latest USB Type-C cables and find those that aren't up to snuff. Properly configured Type C connectors should be able to provide power and very high data rates, but most of those on the market have serious flaws, he has found. His findings have already caused one manufacturer to make a public mea culpa. In his latest review, for a Surjtech 3M USB A-to-C cable, Leung found that the cable had been wired up incorrectly and was actively harmful.
He reported that he plugged the cable into his 2015 edition Pixel via a USB power delivery analyzer and connected it to an Apple 12W iPad charger. The second the connection was made it fried both the analyzer and the Pixel laptop. The analyzer, and a second unit he tried, both died on contact with the cable and not even a firmware reinstall would get them working. As for the Pixel, both USB ports died as the current fired the embedded controller, meaning the laptop couldn't be charged or linked to another device.
"I directly analyzed the Surjtech cable using a Type-C breakout board and a multimeter, and it appears that they completely miswired the cable. The GND pin on the Type-A plug is tied to the Vbus pins on the Type-C plug. The Vbus pin on the Type-A plug is tied to GND on the Type-C plug," he wrote. "This is a total recipe for disaster and I have 3 pieces of electronics dead to show for it – my Pixel 2015 and two USB PD analyzers. Needless to say, this cable is fundamentally dangerous. Do not buy this under any circumstances."
Chromebook Pixel (2015) is a $999 laptop.
Amazon will prohibit listings of non-compliant USB Type-C cables, following reports of hardware being damaged by faulty cables:
Amazon has updated its rules governing the sale of USB-C cables in the US, saying only fully compliant products will be stocked on the site. The update to a list of prohibited listings now includes "any USB-C (or USB Type-C) cable or adapter product that is not compliant with standard specifications".
Google developer Benson Leung noticed the change. Some USB-C cables can damage devices or fail to charge them properly. "Really great news, but we all have to continue to be vigilant and call out any bad products we find on Amazon and other stores (both online and brick and mortar) as we find them," wrote Mr Leung on Google+.
Amazon's rules, which refer to standards set by USB Implementers Forum, Inc., apply to any merchant selling items through its Amazon Sellers programme. [...] A list of compliant USB-C cables has been published by USB Implementers Forum, Inc.
The days of killer USB Type-C cables may soon be over:
The USB Promoter Group announced a new cryptographic authentication protocol for USB Type-C devices that should put an end to faulty as well as malicious Type-C chargers and devices.
The USB Type-C standard was designed for both charging and data transfers as a convenience feature to allow people to carry fewer cables with them and to help device manufacturers cut costs. However, once the two were combined, the risk that people would become infected by plugging their laptops and smartphones with strange USB Type-C chargers or devices also increased. The USB devices could have embedded malware, which could infect host devices. The chargers could also be uncertified and use lower quality standards, which could risk damaging the host notebooks or smartphones.
The new authentication protocol for USB Type-C aims to fix both problems by allowing users to set policies that would restrict their devices to using only USB chargers that are compliant with the standard or automatically block them until their authenticity has been confirmed. The verification will be done right when the cable is connected, before any power or data is transmitted to the host device.
