This article is more than 1 year old
USB-C adds authentication protocol
When one wire carries data and power, you need to protect against dodgy devices
The USB 3.0 Promoter Group has announced it has devised and will adopt a new “USB Type-C Authentication specification.”
The specification means makers of USB devices will be able to encode them with information about their source and function. When connecting to those devices, machines like computers or phones will be able to read that descriptor and choose to connect, or not, depending on policies.
The USB 3.0 Promoter group says “For a traveler concerned about charging their phone at a public terminal, their phone can implement a policy only allowing charge from certified USB chargers.” Or perhaps you're worried that your organisation's laptop fleet could be compromised by rogue USB devices, in which case you “can set a policy in its PCs granting access only to verified USB storage devices.” It's not clear if that will allow organisations to specify individual devices, or just devices whose manufacturers have implemented the spec.
USB-C needs this spec for two reasons. One is that, not to put to fine a point on it, users are idiots. How else to explain the fact that almost half the people who pick up a USB stick they happen across in a parking lot plug said drives into their PCs. Once USB-C becomes ubiquitous and makes a single wire responsible for carrying power and data, even the dimmest hackers will likely cotton on to the opportunities to craft crooked chargers or other evil devices.
The second is that there are lots of scumbags churning out second-rate electronics to make a quick buck. We already know that poorly-wired cables capable of frying kit are enough of a menace that Amazon.com recently banned the sale of non-compliant cables on its digital tat bazaar. If devices flag such kit as sub-standard, or refuse to connect to them, it's therefore a win for all but the junk-slingers.
Details of the spec can be found in the revised USB 3.1 spec (54MB .ZIP file. Feel free to trawl through it for the finer points of the authentication. The TL:DR version is that it “references existing internationally-accepted cryptographic methods for certificate format, digital signing, hash and random number generation,” so it sounds like a conventional issue-certificates-and-check-them caper.
Doubtless the revised spec explains the efforts folks behind it tried to make the authentication bullet-proof. And as sure as night follows day, efforts to find loopholes in the spec that make it possible to crank out fake kit that presents itself as authentic will surely commence.
Anyone want to bet when The Register will write up a story about the first such crack? ®
Biting the hand that feeds IT
