USB-IF keeps malware at bay with USB Type C authentication spec

The USB Implementers Forum (USB-IF) recently announced a new cryptographic-based authentication specification for USB Type C chargers and devices.

“USB Type-C™ Authentication empowers host systems to protect against non-compliant USB Chargers and to mitigate risks from maliciously embedded hardware or software in USB devices attempting to exploit a USB connection,” said USB-IF president and COO Jeff Ravencraft told Computerworld Hong Kong,

The new USB Type C is the next-generation USB introduced in August 2014 and is being eyed as an ideal single cable solution for all platforms and devices. Its three key selling points are: the ability to deliver up to 10Gbps data transfer speed; a fast charging capability up to 100W to power all your devices, including desktops and workstations; and a connector with reversible plug orientation and cable direction.

To date, a number of tech companies have release products that support the new USB Type C products. USB-IF, which develops and promotes USB standards, has about 800 members worldwide with 24% and 22% of them from China and Taiwan respectively.

Figures released in January by research firm IHS predicts that market adoption of the new USB Type C will reach 2 billion devices by 2019 across all platforms.

The newly added authentication specification addresses the issues arising from faulty USB Type C cables and devices that were found in the market.

Using the new specification, host systems can confirm the authenticity of a USB device or USB charger, including such product aspects as the descriptors/capabilities and certification status. All of this happens right at the moment a wired connection is made – before inappropriate power or data can be transferred.

For a traveler concerned about charging their phone at a public terminal, their phone can implement a policy only allowing charge from certified USB chargers. A company, tasked with protecting corporate assets, can set a policy in its PCs granting access only to verified USB storage devices.

“We have these things in the past where a bad person might modify the firmware and when you plug it in, it looks like a USB device but it really going to do some harm. So this specification allows the host to ensure it is a certified product and what its capabilities are. It will also validate that the flash drive is in fact a flash drive and not a device trying to do malicious harm,” Ravencraft said.

According to USB 3.0 Promoter Group Chairman Brad Saunders, the USB Type C’s new authentication feature puts security in place at the point of contact – at the hardware level.

“Authentication is actually the key piece,” he said. “If you are asking about going to the next level and having the data secured – meaning the data is private – you can already do that with USB. But the weak part of that was that you didn’t know whether the device you are talking to is an authentic device, but it could be encrypting data in a way that is still very bad data. Encryption is typically done on a higher level like the OS. We are trying to secure the initial contact and let Apple, Google and Microsoft put the data security on top.”

Key characteristics of the USB Type-C™ Authentication solution include:

  • A standard protocol for authenticating certified USB Type-C™ Chargers, devices, cables and power sources
  • Support for authenticating over either USB data bus or USB Power Delivery communications channels
  • Products that use the authentication protocol retain control over the security policies to be implemented and enforced
  • Relies on 128-bit security for all cryptographic methods
  • Specification references existing internationally-accepted cryptographic methods for certificate format, digital signing, hash and random number generation