Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

MacRumors

macrumors bot
Original poster
Apr 12, 2001
64,999
33,189



The USB Implementers Forum today announced the launch of a USB Type-C Authentication program, which is designed to create a cryptographic-based authentication definition for USB-C chargers and devices.

This is important because USB-C Authentication will provide protection from malicious firmware/hardware in USB-C devices. There are multiple USB-based attacks that are out in the wild and are able to do things like keystroke injection, installing backdoors, emulating mouse movements, logging data, hijacking traffic, infecting machines with viruses, and more.

usbc-800x412.png

In addition to protecting against malicious hardware, the program will keep host systems safe from non-compliant USB chargers that could potentially cause harm.

With the USB-C Authentication protocol, host machines will be able to confirm the authenticity of a USB-C device, cable, or charger. This confirmation happens right when a connection is made before inappropriate power or data can be transferred.

The USB-IF has outlined the characteristics of the USB-Type-C Authentication Program:

[*]A standard protocol for authenticating certified USB Type-C chargers, devices, cables and power sources
[*]Support for authenticating over either USB data bus or USB Power Delivery communications channels
[*]Products that use the authentication protocol retain control over the security policies to be implemented and enforced
[*]Relies on 128-bit security for all cryptographic methods
[*]Specification references existing internationally-accepted cryptographic methods for certificate format, digital signing, hash and random number generation

Manufacturers who create devices that use USB-C will be able to implement the new authentication protocol into their devices to protect consumers. There is no requirement to implement support for USB-C authentication at this time, with protocol provided as an option to OEMs.

Though Apple has not commented on the release of the program, the Cupertino company will likely be one of the companies to adopt USB-C authentication protocols in the future given its focus on security.

Article Link: USB-C Authentication Program Launches to Offer Future Protection Against Malicious Hardware
 

chucker23n1

macrumors G3
Dec 7, 2014
8,845
11,751
This is rather short on details.

  • will there be a central certification authority? Or can any manufacturer create their own keys? Can a manufacturer like Apple decide to whitelist or blacklist certain devices?
  • how much control does the user get? Does the spec expect the OS to present a dialog, like iOS 7 and newer do for Lightning devices, for the user to confirm that the device is trustworthy? If so, has there been usability research on this, particularly regarding the risk of making such a dialog useless as the user is trained to always accept?
 

Arbuthnott

macrumors regular
Jul 4, 2008
186
276



The USB Implementers Forum today announced the launch of a USB Type-C Authentication program, which is designed to create a cryptographic-based authentication definition for USB-C chargers and devices.

This is important because USB-C Authentication will provide protection from malicious firmware/hardware in USB-C devices. There are multiple USB-based attacks that are out in the wild and are able to do things like keystroke injection, installing backdoors, emulating mouse movements, logging data, hijacking traffic, infecting machines with viruses, and more.

usbc-800x412.png

In addition to protecting against malicious hardware, the program will keep host systems safe from non-compliant USB chargers that could potentially cause harm.

With the USB-C Authentication protocol, host machines will be able to confirm the authenticity of a USB-C device, cable, or charger. This confirmation happens right when a connection is made before inappropriate power or data can be transferred.

The USB-IF has outlined the characteristics of the USB-Type-C Authentication Program:

[*]A standard protocol for authenticating certified USB Type-C chargers, devices, cables and power sources
[*]Support for authenticating over either USB data bus or USB Power Delivery communications channels
[*]Products that use the authentication protocol retain control over the security policies to be implemented and enforced
[*]Relies on 128-bit security for all cryptographic methods
[*]Specification references existing internationally-accepted cryptographic methods for certificate format, digital signing, hash and random number generation

Manufacturers who create devices that use USB-C will be able to implement the new authentication protocol into their devices to protect consumers. There is no requirement to implement support for USB-C authentication at this time, with protocol provided as an option to OEMs.

Though Apple has not commented on the release of the program, the Cupertino company will likely be one of the companies to adopt USB-C authentication protocols in the future given its focus on security.

Article Link: USB-C Authentication Program Launches to Offer Future Protection Against Malicious Hardware
Oh joy! Thank goodness we are now going to be protected from buying cheap generic USB leads. I wondered how long it would be before USB C leads became as ridiculously expensive as the Apple leads always are. And of course, the opportunity for USB leads to be anything other than simply a way of attaching wires to a port has been created entirely by Apple and others building in all manner of coding into the lead in order to be able to charge you more for it. Time for the EU to demand that the USB standard should revert to being a dumb connector.
[doublepost=1546461565][/doublepost]
This is rather short on details.

  • will there be a central certification authority? Or can any manufacturer create their own keys? Can a manufacturer like Apple decide to whitelist or blacklist certain devices?
  • how much control does the user get? Does the spec expect the OS to present a dialog, like iOS 7 and newer do for Lightning devices, for the user to confirm that the device is trustworthy? If so, has there been usability research on this, particularly regarding the risk of making such a dialog useless as the user is trained to always accept?
I bought two robust and cheap Lightning - USB leads to the console of my motorbike, to use my iPhone for GPS. Initially the leads were great, but one or another of the iOS updates changed that. These leads now will allow some connection to the phone, but not reliably, and charging often stops. Charging is essential when using the GPS for many hours of outing. I cant see why Apple should be able to insist that I can only use leads that they get paid an exorbitant licensing fee for. I mean, isn’t that exactly what Apple are being riteously indignant about with Qualcomm? Sauce for goose. Stop ripping us off for leads!!!
 

lunarworks

macrumors 68000
Jun 17, 2003
1,972
5,213
Toronto, Canada
As long as it's optional, this is boon for anyone security conscious. Especially if it applies to Thunderbolt. There's all kinds of wild malicious tricks that can be performed over USB these days, and anything that can potentially lock them out will be welcome.
 

coolfactor

macrumors 604
Jul 29, 2002
7,353
10,231
Vancouver, BC
I’m surprised it took this long for anything like this to be announced. It should have been announced years ago. The overall risk is still quite small but eventually I can see this being mandatory for any plug and play device.

This could've been one reason why Lightning was developed and held on for so long. With this new protocol, we could see Apple move entirely to USB-C. I'd miss Lightning, but we will adapt.
 

farewelwilliams

Suspended
Jun 18, 2014
4,966
18,041
Great apple will now use this to block any accessories that aren't "made for mac" and forcing people to buy their $80 dongle smh
no. that doesn't make sense at all. if apple really wanted to do that, they wouldn't have adopted usb-c in the first place. they would have created another proprietary port.
 

Jetfire

macrumors 6502
Jul 10, 2008
386
347
Cincinnati, Ohio, USA
I just wish the would make USB-C cables a Standard like USB 2 and UBS 3 were. Man when I looked to buy one. I found out all the pitfalls USB-C created. I'm not talking about Thunderbolt 3 vs USB-C. USB-C cables can be Power only or limited Data through-put. And the selection is not on par with the old USB like lengths and extensions
 

chucker23n1

macrumors G3
Dec 7, 2014
8,845
11,751
Oh joy! Thank goodness we are now going to be protected from buying cheap generic USB leads.

I don't know what you mean by "leads".

Time for the EU to demand that the USB standard should revert to being a dumb connector.

USB was never a particularly dumb connector. It's gotten more complex with type C, but type A/B was hardly dumb, and BadUSB attacks were possible with those.

As long as it's optional, this is boon for anyone security conscious. Especially if it applies to Thunderbolt. There's all kinds of wild malicious tricks that can be performed over USB these days, and anything that can potentially lock them out will be welcome.

I can sort of see making it more configurable in an MDM environment, and probably a developer mode where you opt out entirely so that you can test self-developed hardware. But other than that, odds are this will be mandatory on macOS and Windows within a few years.
 
  • Like
Reactions: RandomDSdevel

Arbuthnott

macrumors regular
Jul 4, 2008
186
276
I don't know what you mean by "leads".



USB was never a particularly dumb connector. It's gotten more complex with type C, but type A/B was hardly dumb, and BadUSB attacks were possible with those.



I can sort of see making it more configurable in an MDM environment, and probably a developer mode where you opt out entirely so that you can test self-developed hardware. But other than that, odds are this will be mandatory on macOS and Windows within a few years.

Lead: from the dictionary, "BRITISH a wire that conveys electric current from a source to an appliance, or that connects two points of a circuit together."

Dumb Connector: n conductors in, arranged in a particular plug format; n conductors out, also arranged in a particular plug format. No electronic signal processing in the lead at all. Just moving electrons along separate conductors between devices. All the processing to be done in the devices themselves, rather than having some processing done in the lead

The only reason, in this case, for putting electronics into the cable (yes, to be pedantic, into one or both of the plugs), is to be able to dictate terms for licensees to be able to manufacture and sell cables that some fee has been paid for.
 
  • Like
Reactions: RandomDSdevel

aka-47

macrumors newbie
Jan 2, 2019
4
0
Next to u!
Despite vulnerabilities I believe my Apple 13in Retina MacBook Pro (Early 2015) will be a competitor to devices with USB-C for some time.
 

HenrikWivel

macrumors member
Nov 2, 2016
69
174
Hope the protocol will be used to enhance security and not to block 3. party devices from working. Or even worse, use it for throttling or limiting functionality.

Raises tons of questions about the management and organisation around it, though. Just to mention a few: Who decides what is ‘safe’ and for whom? Who have authority to blacklist, based on which criterias and on which terms?
 

MrUNIMOG

macrumors 6502a
Sep 23, 2014
654
424
Hamburg, Germany
Lead: from the dictionary, "BRITISH a wire that conveys electric current from a source to an appliance, or that connects two points of a circuit together."

Dumb Connector: n conductors in, arranged in a particular plug format; n conductors out, also arranged in a particular plug format. No electronic signal processing in the lead at all. Just moving electrons along separate conductors between devices. All the processing to be done in the devices themselves, rather than having some processing done in the lead

The only reason, in this case, for putting electronics into the cable (yes, to be pedantic, into one or both of the plugs), is to be able to dictate terms for licensees to be able to manufacture and sell cables that some fee has been paid for.

No. Safety of USB Power Delivery necessitates putting electronics into the cable. You'd not want your 15" MBP trying to draw over 4 amps through some thin cable rated for 500 mA... That's why the cable has to be part of USB PD negotiation.
 
  • Like
Reactions: RandomDSdevel
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.