USB-C Authentication Program Launches to Offer Future Protection Against Malicious Hardware

Discussion in 'Mac Blog Discussion' started by MacRumors, Jan 2, 2019.

  1. MacRumors macrumors bot

    MacRumors

    Joined:
    Apr 12, 2001
    #1
    [​IMG]


    The USB Implementers Forum today announced the launch of a USB Type-C Authentication program, which is designed to create a cryptographic-based authentication definition for USB-C chargers and devices.

    This is important because USB-C Authentication will provide protection from malicious firmware/hardware in USB-C devices. There are multiple USB-based attacks that are out in the wild and are able to do things like keystroke injection, installing backdoors, emulating mouse movements, logging data, hijacking traffic, infecting machines with viruses, and more.

    [​IMG]

    In addition to protecting against malicious hardware, the program will keep host systems safe from non-compliant USB chargers that could potentially cause harm.

    With the USB-C Authentication protocol, host machines will be able to confirm the authenticity of a USB-C device, cable, or charger. This confirmation happens right when a connection is made before inappropriate power or data can be transferred.

    The USB-IF has outlined the characteristics of the USB-Type-C Authentication Program:

    [*]A standard protocol for authenticating certified USB Type-C chargers, devices, cables and power sources
    [*]Support for authenticating over either USB data bus or USB Power Delivery communications channels
    [*]Products that use the authentication protocol retain control over the security policies to be implemented and enforced
    [*]Relies on 128-bit security for all cryptographic methods
    [*]Specification references existing internationally-accepted cryptographic methods for certificate format, digital signing, hash and random number generation

    Manufacturers who create devices that use USB-C will be able to implement the new authentication protocol into their devices to protect consumers. There is no requirement to implement support for USB-C authentication at this time, with protocol provided as an option to OEMs.

    Though Apple has not commented on the release of the program, the Cupertino company will likely be one of the companies to adopt USB-C authentication protocols in the future given its focus on security.

    Article Link: USB-C Authentication Program Launches to Offer Future Protection Against Malicious Hardware
     
  2. mcbumbersnazzle, Jan 2, 2019
    Last edited by a moderator: Jan 2, 2019

    mcbumbersnazzle macrumors newbie

    Joined:
    Dec 21, 2018
    #2
    Great apple will now use this to block any accessories that aren't "made for mac" and forcing people to buy their $80 dongle smh
     
  3. chucker23n1 macrumors 68000

    chucker23n1

    Joined:
    Dec 7, 2014
    #3
    This is rather short on details.

    • will there be a central certification authority? Or can any manufacturer create their own keys? Can a manufacturer like Apple decide to whitelist or blacklist certain devices?
    • how much control does the user get? Does the spec expect the OS to present a dialog, like iOS 7 and newer do for Lightning devices, for the user to confirm that the device is trustworthy? If so, has there been usability research on this, particularly regarding the risk of making such a dialog useless as the user is trained to always accept?
     
  4. nwcs macrumors 68000

    nwcs

    Joined:
    Sep 21, 2009
    Location:
    Tennessee
    #4
    I’m surprised it took this long for anything like this to be announced. It should have been announced years ago. The overall risk is still quite small but eventually I can see this being mandatory for any plug and play device.
     
  5. randyhudson macrumors regular

    Joined:
    Oct 28, 2007
    Location:
    East Coast
  6. Arbuthnott macrumors member

    Joined:
    Jul 4, 2008
    #6
    Oh joy! Thank goodness we are now going to be protected from buying cheap generic USB leads. I wondered how long it would be before USB C leads became as ridiculously expensive as the Apple leads always are. And of course, the opportunity for USB leads to be anything other than simply a way of attaching wires to a port has been created entirely by Apple and others building in all manner of coding into the lead in order to be able to charge you more for it. Time for the EU to demand that the USB standard should revert to being a dumb connector.
    --- Post Merged, Jan 2, 2019 ---
    I bought two robust and cheap Lightning - USB leads to the console of my motorbike, to use my iPhone for GPS. Initially the leads were great, but one or another of the iOS updates changed that. These leads now will allow some connection to the phone, but not reliably, and charging often stops. Charging is essential when using the GPS for many hours of outing. I cant see why Apple should be able to insist that I can only use leads that they get paid an exorbitant licensing fee for. I mean, isn’t that exactly what Apple are being riteously indignant about with Qualcomm? Sauce for goose. Stop ripping us off for leads!!!
     
  7. SoN1NjA macrumors 68000

    SoN1NjA

    Joined:
    Feb 3, 2016
    Location:
    the pool
  8. lunarworks macrumors 65816

    Joined:
    Jun 17, 2003
    Location:
    Toronto, Canada
    #8
    As long as it's optional, this is boon for anyone security conscious. Especially if it applies to Thunderbolt. There's all kinds of wild malicious tricks that can be performed over USB these days, and anything that can potentially lock them out will be welcome.
     
  9. coolfactor macrumors 68040

    Joined:
    Jul 29, 2002
    Location:
    Vancouver, BC CANADA
    #9
    This could've been one reason why Lightning was developed and held on for so long. With this new protocol, we could see Apple move entirely to USB-C. I'd miss Lightning, but we will adapt.
     
  10. farewelwilliams macrumors 68000

    Joined:
    Jun 18, 2014
    #10
    no. that doesn't make sense at all. if apple really wanted to do that, they wouldn't have adopted usb-c in the first place. they would have created another proprietary port.
     
  11. Jetfire macrumors 6502

    Joined:
    Jul 10, 2008
    Location:
    Cincinnati, Ohio, USA
    #11
    I just wish the would make USB-C cables a Standard like USB 2 and UBS 3 were. Man when I looked to buy one. I found out all the pitfalls USB-C created. I'm not talking about Thunderbolt 3 vs USB-C. USB-C cables can be Power only or limited Data through-put. And the selection is not on par with the old USB like lengths and extensions
     
  12. Kabeyun macrumors 68000

    Kabeyun

    Joined:
    Mar 27, 2004
    Location:
    Eastern USA
    #12
    Fixed.
     
  13. chucker23n1 macrumors 68000

    chucker23n1

    Joined:
    Dec 7, 2014
    #13
    I don't know what you mean by "leads".

    USB was never a particularly dumb connector. It's gotten more complex with type C, but type A/B was hardly dumb, and BadUSB attacks were possible with those.

    I can sort of see making it more configurable in an MDM environment, and probably a developer mode where you opt out entirely so that you can test self-developed hardware. But other than that, odds are this will be mandatory on macOS and Windows within a few years.
     
  14. BornAgainMac macrumors 603

    BornAgainMac

    Joined:
    Feb 4, 2004
    Location:
    Florida Resident
    #14
    That was probably the hidden plan to move to that standard the entire time.
     
  15. Arbuthnott macrumors member

    Joined:
    Jul 4, 2008
    #15
    Lead: from the dictionary, "BRITISH a wire that conveys electric current from a source to an appliance, or that connects two points of a circuit together."

    Dumb Connector: n conductors in, arranged in a particular plug format; n conductors out, also arranged in a particular plug format. No electronic signal processing in the lead at all. Just moving electrons along separate conductors between devices. All the processing to be done in the devices themselves, rather than having some processing done in the lead

    The only reason, in this case, for putting electronics into the cable (yes, to be pedantic, into one or both of the plugs), is to be able to dictate terms for licensees to be able to manufacture and sell cables that some fee has been paid for.
     
  16. aka-47 macrumors newbie

    aka-47

    Joined:
    Jan 2, 2019
    Location:
    Next to u!
    #16
    Despite vulnerabilities I believe my Apple 13in Retina MacBook Pro (Early 2015) will be a competitor to devices with USB-C for some time.
     
  17. HenrikWivel macrumors newbie

    Joined:
    Nov 2, 2016
    #17
    Hope the protocol will be used to enhance security and not to block 3. party devices from working. Or even worse, use it for throttling or limiting functionality.

    Raises tons of questions about the management and organisation around it, though. Just to mention a few: Who decides what is ‘safe’ and for whom? Who have authority to blacklist, based on which criterias and on which terms?
     

Share This Page