Software Safeguards Coming to Protect Against Potentially Dangerous USB-C Cables

[MacRumors]

The USB Implementers Forum (USB-IF) today announced the launch of the USB Type-C Authentication specification, a software protocol that will serve as a line of defense protecting USB-C products from non-compliant USB-C cables that are potentially able to damage a device.

With the USB Type-C Authentication specification, computers and other devices with USB-C ports will be able to confirm the authenticity of a USB device or USB charger, verifying elements like certification status and power flow, along with ensuring no malware is present.

Using this protocol, host systems can confirm the authenticity of a USB device or USB charger, including such product aspects as the descriptors/capabilities and certification status. All of this happens right at the moment a wired connection is made - before inappropriate power or data can be transferred.

USB Type-C Authentication empowers host systems to protect against non-compliant USB Chargers and to mitigate risks from maliciously embedded hardware or software in USB devices attempting to exploit a USB connection

The USB Type-C Authentication specification comes after some non-compliant USB-C cables were able to damage electronic devices. Google engineer Benson Leung spent weeks testing USB-C cables sold by Amazon after a third-party cable he bought destroyed his Chromebook Pixel, making it his mission to highlight the risks of non-compliant cables.

Leung's work led Amazon to ban third-party retailers from offering USB-C cables that do not adhere to the standard specifications issued by the USB-IF, and it's also led to the creation of the protections announced today.

Key characteristics of the USB Type-CTM Authentication solution include:

- A standard protocol for authenticating certified USB Type-CTM Chargers, devices, cables and power sources
- Support for authenticating over either USB data bus or USB Power Delivery communications channels
- Products that use the authentication protocol retain control over the security policies to be implemented and enforced
- Relies on 128-bit security for all cryptographic methods
- Specification references existing internationally-accepted cryptographic methods for certificate format, digital signing, hash and random number generation

Apple began using USB-C with the Retina MacBook, choosing the standard because it allows both data and power transfer through a single connector. USB-C is appealing for its universality, but because USB-C cables can transfer more power than traditional USB connectors, non-compliant or faulty equipment can damage electronic devices by providing too much power.

The Retina MacBook already has safeguards built in to protect it from non-compliant cables, but the new USB Type-C Authentication feature will offer another layer of protection should Apple choose to implement it. Current machines will only charge from third-party USB-C power adapters if they comply with the USB Power Delivery specification, and if too much power is detected, the USB-C ports on the MacBook will shut down.

While the Retina MacBook is the only product that currently offers USB-C functionality, Apple may choose to offer USB-C ports in additional machines in upcoming updates scheduled to take place across 2016.

Article Link: Software Safeguards Coming to Protect Against Potentially Dangerous USB-C Cables

 

[You are the One]

Scary. Put the wrong cable in and...

 

[Zimmie]

"With the USB Type-C Authentication specification, computers ... will be able to confirm ... no malware is present." in your cable.

Aren't active cables awesome?

 

[Porco]

Whatever you do, just don't plug in that red cable over there, ok...

No, wait, I meant the BLUE cable... don't plug in the BLUE cable, STOP!!!

 

[You are the One]

Do you take the RED cable or the BLUE cable?

 

[oneMadRssn]

With the USB Type-C Authentication specification, computers and other devices with USB-C ports will be able to confirm the authenticity of a USB device or USB charger, verifying elements like certification status and power flow, along with ensuring no malware is present.

A problem that only exists because companies insist on combining charging cables and data cables into one.

Reminds me the story of the space pen. NASA realized that regular ballpoint pens don't work in zero gravity, so they spent some enormous amount of resources on R&D to design a pressurized ink cartridge that can write upside down and in zero gravity, what we call the space pen. The Russians just used a pencil.

Sometimes the simplest solution is the best one. Dedicated power port. Done.

 

[AbblePC]

A problem that only exists because companies insist on combining charging cables and data cables into one.

Reminds me the story of the space pen. NASA realized that regular ballpoint pens don't work in zero gravity, so they spent some enormous amount of resources on R&D to design a pressurized ink cartridge that can write upside down and in zero gravity, what we call the space pen. The Russians just used a pencil.

Sometimes the simplest solution is the best one. Dedicated power port. Done.

"I love my Fisher Space Pen"

 

[killawat]

I vote to call it the "Leung" protocol, after he saved everyone from bunk cables.

 

[MasterMac]

A problem that only exists because companies insist on combining charging cables and data cables into one.

Reminds me the story of the space pen. NASA realized that regular ballpoint pens don't work in zero gravity, so they spent some enormous amount of resources on R&D to design a pressurized ink cartridge that can write upside down and in zero gravity, what we call the space pen. The Russians just used a pencil.

Sometimes the simplest solution is the best one. Dedicated power port. Done.

http://www.snopes.com/business/genius/spacepen.asp

 

[djang0]

I'm surprised they didn't see this coming. I mean come on, all those cheap generic Hong Kong shipped USB cables they sell in every convenience stores possible... how many of their manufacturers really care about the specs and implement them properly? Most of them likely just want to make a quick buck...

 

[btrach144]

It's worth it. USB C and Thunderbolt 3 on my Dell Precision 7510 are killer. Just don't buy cables on eBay

 

[joueboy]

So for 2 decades now we never had a problem with USB. Well obviously 10+ years ago those cables are ridiculously expensive. Some printers doesn't include USB in the box so you buy them separate. For awhile I thought technology got matured and cheaper just like computers and mobile phones. So USB cables are really cheap and I don't have problems buying extra 2 cables as a backup. Now they're doing things so we have pay more, using the word "SAFER".

 

[Gudi]

A problem that only exists because companies insist on combining charging cables and data cables into one.

How dare they! Don't they know data and power are both just electricity? Hundreds of millions of iPods, iPhones and iPads work fine with two cables, one for data and one for power. Now suddenly those silly engineers want to change a proven concept.

Reminds me the story of the space pen. NASA realized that regular ballpoint pens don't work in zero gravity, ...

Reminds me of this one time, when someone on the internet came up with a story which had nothing to do with the topic at hand.

 

[oneMadRssn]

http://www.snopes.com/business/genius/spacepen.asp

Yes I know the story is not literally true. That doesn't mean it's not a nice and colorful anecdote to go along with the idea that the simplest solution is sometimes the best one.
[doublepost=1460503885][/doublepost]

How dare they! Don't they know data and power are both just electricity? Hundreds of millions of iPods, iPhones and iPads work fine with two cables, one for data and one for power. Now suddenly those silly engineers want to change a proven concept.

Never really cared if someone wanted to infect my iPod with malware...

At least iOS asks you whether you are connected to a trusted device before enabling the device to exchange data. Not that this security feature is bulletproof, and it is indeed quite easy to circumvent. Still... it's more than OS X offers right now.

 

[manu chao]

A problem that only exists because companies insist on combining charging cables and data cables into one.

Sometimes the simplest solution is the best one. Dedicated power port. Done.

Would you advocate that solution for smartphones as well?

Before non-Apple (smart)phones switched to some version of USB (and even then it took a while until micro USB emerged as a standard), the plethora of different charging plugs and parameters for phones were a royal pain, in regard to not being able to use other people's chargers and in perfectly good chargers ending up in landfills when one bought a new phone which came with a different type of charger. Standardisation of chargers then coincided with the need to transfer large-ish amounts of data to phones and that locked in the combination of data and charging in one port.

 

[GeneralChang]

A problem that only exists because companies insist on combining charging cables and data cables into one.

Reminds me the story of the space pen. NASA realized that regular ballpoint pens don't work in zero gravity, so they spent some enormous amount of resources on R&D to design a pressurized ink cartridge that can write upside down and in zero gravity, what we call the space pen. The Russians just used a pencil.

Sometimes the simplest solution is the best one. Dedicated power port. Done.

Then the Russians discovered that having graphite floating all over the interior of their spacecraft and screwing with the vital electronics was NOT such a great thing, and started using the same pen.

 

[manu chao]

Never really cared if someone wanted to infect my iPod with malware...

Unless somebody used that to infect your Mac (or PC) in consequence. Ironically, methods to infect iPhones have built on first infecting your Mac or PC.

 

[Gudi]

Never really cared if someone wanted to infect my iPod with malware...

Me neither, but that's also off topic. This USB-C safeguard is about electric safety not data security.

 

[GeneralChang]

Yes I know the story is not literally true. That doesn't mean it's not a nice and colorful anecdote to go along with the idea that the simplest solution is sometimes the best one.

It would be if it weren't the case that, in the story you shared, the simplest solution was not the best one.

 

[Iconoclysm]

A problem that only exists because companies insist on combining charging cables and data cables into one.

Reminds me the story of the space pen. NASA realized that regular ballpoint pens don't work in zero gravity, so they spent some enormous amount of resources on R&D to design a pressurized ink cartridge that can write upside down and in zero gravity, what we call the space pen. The Russians just used a pencil.

Sometimes the simplest solution is the best one. Dedicated power port. Done.

You think two ports is more simple than one? Wrong. Done.

 

[macs4nw]

A problem that only exists because companies insist on combining charging cables and data cables into one...... Sometimes the simplest solution is the best one. Dedicated power port. Done.

The single charging/Date cable is an uncluttered, simple and elegant solution to the multitude of cables and connections that usually litter our desks. Also not sure if that 'Dedicated power port' would solve the problem of possibly maliciously embedded hardware or software in those USB devices that could be attempting to exploit USB connections thru the USB-C port.

These new safeguards if effective, are a timely solution to a problem that could've wreaked havoc with our equipment once that new USB-C standard as expected, takes off in a big way.

 

[oneMadRssn]

Me neither, but that's also off topic. This USB-C safeguard is about electric safety not data security.

Read the article:

With the USB Type-C Authentication specification, computers and other devices with USB-C ports will be able to confirm the authenticity of a USB device or USB charger, verifying elements like certification status and power flow, along with ensuring no malware is present.

Would you advocate that solution for smartphones as well?

Before non-Apple (smart)phones switched to some version of USB (and even then it took a while until micro USB emerged as a standard), the plethora of different charging plugs and parameters for phones were a royal pain, in regard to not being able to use other people's chargers and in perfectly good chargers ending up in landfills when one bought a new phone which came with a different type of charger. Standardisation of chargers then coincided with the need to transfer large-ish amounts of data to phones and that locked in the combination of data and charging in one port.

I worry less about charging smartphones because I can get work done without a smartphone. There are times where I must use my computer to get unexpected and time-sensitive work done, and I would rather not worry about whether the public USB charging station at the airport has malware or not, or whether the cheapo charging adapter I have to buy from the mini-mart when I forget my charger when I travel has malware or not. This situation presently doesn't come up with smartphones, I can let the battery die.

I am not opposed to standardization of chargers. I agree that filling landfill with proprietary chargers is a very bad thing.

What I am worried about is the situation where to charge your computer, which is something everyone has to do at some point, requires taking the risk of exposing your computer to a data connection with an unknown source.

Another simple solution to this issue are USB cables with a switch in the middle, that lets you physically toggle from charging only to charging+data.
[doublepost=1460507433][/doublepost]

Also not sure if that 'Dedicated power port' would solve the problem of possibly maliciously embedded hardware or software in those USB devices that could be attempting to exploit USB connections thru the USB-C port.

There is almost no situation where I have to plug in a USB device. There are many situations where I have to charge my computer and might not have the OEM charging adapter with me.

 

[CarlJ]

Reminds me the story of the space pen. NASA realized that regular ballpoint pens don't work in zero gravity, so they spent some enormous amount of resources on R&D to design a pressurized ink cartridge that can write upside down and in zero gravity, what we call the space pen. The Russians just used a pencil.

Aside from this story being known to be false (someone already provided the snopes link, Fisher paid for the development themselves, so no tax dollars were harmed), a pencil is a terrible idea in space - you'll invariably end up with random bits of graphite (if not also sharpener shavings and eraser dross) floating around the capsule, getting into places where they ought not to be - especially troubling given that graphite is electrically conductive and could damage, you know, those electronic circuits you're depending on for life support, navigation, landing, and other such mundane activities.

This suggests a quote that isn't fake:

"For every complex problem there is an answer that is clear, simple, and wrong." -- H. L. Mencken

 

[stiligFox]

...the USB-C ports on the MacBook will shut down.

I wish...

 

[roop27]

Do you think apple will move all their devices to a USB C standard? USB C surely makes the lightning cable defunct now?