A new standard recently announced by the USB Implementers Forum will prevent faulty USB-C cables from doing more damage. Based on cryptographic authentication, this protocol should also protect phones, tablets and laptops with USB-C ports from malicious hardware or software that try to exploit the connection between the cable and the device.
USB Type-C Authentication Features
- A standard protocol for authenticating certified USB Type-C chargers, devices, cables and power sources
- Support for authenticating over either USB data bus or USB Power Delivery communications channels
- Products that use the authentication protocol retain control over the security policies to be implemented and enforced
- Relies on 128-bit security for all cryptographic methods
- Specification references existing internationally-accepted cryptographic methods for certificate format, digital signing, hash and random number generation
Brad Saunders, Chairman of the USB 3.0 Promoter Group, said:
“USB is well-established as the favored choice for connecting and charging devices…in support of the growing USB Type-C ecosystem, we anticipated the need for a solution extending the integrity of the USB interface. The new USB Type-C Authentication protocol equips product OEMs with the proper tools to defend against ‘bad’ USB cables, devices and non-compliant USB Chargers.”
In July 2014, researchers Karsten Nohl and Jakob Lell found a serious flaw in USB security they dubbed “BadUSB”. This flaw allowed attackers to sneak malware onto devices through a USB connection, and would remain completely undetected, as the bad code was hidden in the USB firmware.
Although the original researchers didn’t publish the code, two other people, Adam Caudill and Brandon Wilson, announced that they successfully reverse-engineered the code and published it on GitHub. According to Caudill, the motive for the release was to put pressure on manufacturers. “If the only people who can do this are those with significant budgets, the manufacturers will never do anything about it,” he told Wired’s Andy Greenberg. “You have to prove to the world that it’s practical, that anyone can do it.”
At this time, it’s unclear whether this new USB-C protocol will defeat BadUSB, and other exploits like it, or if the standard is the first in a series of steps that will eventually render exploits useless.