USB Type-C Authentication Program Launched (newatlas.com) 133
With the arrival of USB-C a few years back, plugging into laptops, tablets and smartphones became even easier than before. But there are potential security risks. The USB Type-C Authentication Program launched today aims to address such issues. From a report: The new protocol from the USB Implementers Forum (USB-IF) can be used to validate the authenticity of a cable, charger or hardware at the moment of connection, and stop attacks in their tracks. The USB-IF has chosen DigiCert to operate registrations and certificate authority services for the new specification, which makes use of 128-bit cryptographic-based authentication for certificate format, digital signing, hash and random number generation.
"USB Type-C Authentication gives OEMs the opportunity to use certificates that enable host systems to confirm the authenticity of a USB device or USB charger, including such product aspects as the descriptors, capabilities and certification status," said DigiCert in a press release. "This protects against potential damage from non-compliant USB chargers and the risks from maliciously embedded hardware or software in devices attempting to exploit a USB connection."
"USB Type-C Authentication gives OEMs the opportunity to use certificates that enable host systems to confirm the authenticity of a USB device or USB charger, including such product aspects as the descriptors, capabilities and certification status," said DigiCert in a press release. "This protects against potential damage from non-compliant USB chargers and the risks from maliciously embedded hardware or software in devices attempting to exploit a USB connection."
Lovely. (Score:5, Insightful)
So this is going to enable Apple and their ilk to even more aggressively force people to buy their own craptastic cables.
Good intentions, but I know exactly how this will be used.
Mark my words, it will be used to oppress the user, not protect them.
Re: (Score:1)
That was my first thought as well.
Perhaps the EU will require that manufacturers allow use of non-vendor certified charges/devices with one click or one keystroke and that decision must be remembered for the life of the system so no more prompting will be required.
Re: (Score:2)
Re: (Score:3)
So this is going to enable Apple and their ilk to even more aggressively force people to buy their own craptastic cables. Good intentions, but I know exactly how this will be used.
Mark my words, it will be used to oppress the user, not protect them.
That will be the net effect. It's a stupid program designed to extort people for more of their hard earned money.
Re: Lovely. (Score:1)
My Super Monster Gold-Plated USB Type-C cable is working just great! It was only $500, but well worth every dollar. The manufacturer specifications state each cable is hand crafted using only the best children's tears and wrapped in bald eagle feathers.
Re: (Score:1)
My Super Monster Gold-Plated USB Type-C cable is working just great! It was only $500 ....
Ha! My $8,500 Ethernet cable [audioquest.com] sneers at your $500 USB cable! (They also have a 1.5-meter USB cable for $700.)
Some people just have Too Much Money, and the rest of us have a moral obligation to held relieve them of some of it.
Re: (Score:2)
So this is going to enable Apple and their ilk to even more aggressively force people to buy their own craptastic cables.
Good intentions, but I know exactly how this will be used.
Mark my words, it will be used to oppress the user, not protect them.
It will not make any difference. One of the first USB-C ASICs advertised included DRM for the charging as a feature. Authentication was built into the standard.
Authorized Devices Indeed (Score:5, Insightful)
I can see it now. I am sorry, the certificate on your charging cables does not match the approved list on the phone and thus you need to order a new charging cable from the vendor. Oh, and if you persist in trying to use the non-approved cable from Amazon, we will be forced to void your warranty. Remember kids, only use Vendor OEM USB Devices. Everyone else is just a crook.
Re:Authorized Devices Indeed (Score:5, Insightful)
Worse: "The certificate for your otherwise authorized power supply has now expired."
I wonder what they will do in the EU though. (Score:2, Informative)
Since here, there are laws requiring device makers to allow using any microUSB charger.
They specifically made a law to end this bullshit. Which is why Apple products include an adapter.
I would be surprised of the same legislators aren't already drafting laws to stop this too as we speak.
There are still a few non-fascists (aka non-neocons) in the EU dictatorship administration, it seems. Coprorations still haven't completely taken over.
Re: (Score:2)
This happened with a literal Internet of Shit device in Japan recently.
A company made an IoT button you can press when you baby takes a dump. The logs the defecation event to the cloud so that you can keep track of your offspring's bowel movements. I'm assume there was a "post to Facebook" option as well, literally shitting all over your friend's timelines.
Unfortunately a hard coded certificate expired a few months after it went on sale and they had to do a recall. For their shitty shitting internet of shit
Re: (Score:2)
Don't worry. The protocol will be full of holes and buffers to exploit. Now your fancy charging cable can spread malware.
Re: (Score:3)
There are two kinds of danger for USB devices. This is intended to protect against the first: that a cheap cable from SuperGoodHappyCablesCompany advertises that it's able to carry 40W but actually catches fire if you run more than 5W through it for an extended period. This can be addressed by adding some authentication to everything in the chain so that you can drop the power when things are not certified.
The second problem is that the firmware in the USB controller is typically buggy, as is the USB sta
Oh it's worse than that. (Score:3, Interesting)
This just helps ensure that only authorized compromised cables can be used with your USB 3 device. It does NOTHING to ACTUALLY stop malicious cables being used to disable or destroy your device, since they can just take components from an authenticated cable to pass the handshake then use their own microcontroller or circuit to fry your hardware when it attempts to charge or connect over the cable.
Re: (Score:2)
To be fair I think the main goal is to stop poorly manufactured cables from damaging equipment, not to defend against malicious ones. The uncertified ones can just work with data and 5V charging, but certified ones are supposed to be safe for use at 100W.
Re: (Score:2)
meh i don;t know if this would/could apply to cables, but definitely chargers. also i can see where a device could get a prompt saying if the charger had a valid cert (not date valid but manufacturer valid). i have bought "apple" chargers that look like apple except for a minor detail that only becomes apparent when the charger doesn't work.
I am assuming you would have the choice to trust a cert from a non -apple- manufacturer or bypass the warning to check for certs like we do with browsers today.
Re: (Score:1)
I am assuming you would have the choice to trust a cert from a non -apple- manufacturer or bypass the warning to check for certs like we do with browsers today.
This is where the tricky part comes in. If you really commit to this being a good idea for "security" and such, then you have to make the assumption that the average user is completely technology illiterate. As such, you then have to ask yourself, do I trust the user to have any idea what is going on if I prompt them that there is some certificate error? Will they research this and understand or just click accept because they just want it to work and this annoying certificate prompt is stopping them. In
Re: (Score:2)
Re: (Score:2)
I am assuming you would have the choice to trust a cert from a non -apple- manufacturer or bypass the warning to check for certs like we do with browsers today.
You should, so you don't end up locked in. Which is exactly why I assume that ability will quietly disappear one fine day. Possibly after a "totally accidental" time delay to make sure everyone's installed the new shiny before the other shoe drops.
https://slashdot.org/comments.pl?sid=19/01/02/2025207&cid=57894076&sbsrc=topcom#
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
Or the dreaded non-OEM ink and toner which will like totally make your printer explode and mutate your cat's DNA.
Re:Authorized Devices Indeed (Score:4, Interesting)
Re:Authorized Devices Indeed (Score:5, Insightful)
Devices were putting themselves in danger by not having basic electrical protection on the ports. In 90s, this was such a common (and commonly solved) problem that the Tawainese motherboard manufacturers listed all sorts of per-USB-port short, over voltage, over current, etc. protections on the box.
It became a problem again with USB 3 because the first players to the market with USB controllers didn't learn their lesson from the USB 1.0/1.1 days. There's absolutely no reason a bad USB cable should be able to kill an entire device. At worst, it should kill a single port. Ideally, it would have a replaceable/resettable fuse so you don't even lose the port.
Re: (Score:3)
Yeah, those old USB protection circuits won't survive 20v/5A on the data lines. And even if they did, the cable catching fire would burn your house down anyway.
In fact there exist malicious devices that destroy USB ports precisely by applying very high voltages to the data lines of USB ports.
Also, it's even harder to protect USB 3.0 ports because they operate at higher speeds over many more lines. On USB 1.1 you had four wires to worry about, and a maximum frequency of 12MHz. On USB 3.0 with a USB-C connect
Re: (Score:2)
It's all doable, but the USB IF chose to not care, yet again.
Modern USB (3/3.1/3.2 Gen 1/2/.../C/PD/etc.) is a fucking joke.
Re: (Score:2)
A cert isn't going to stop a malicious or miswired cable/charger that dumps 20v on the data line from doing damage. Authorized or not, you have to handshake and that opens you up to a High voltage attack.
But that's not even vaguely what the intent is here. It's to prevent no-name manufacturers making and selling a cable/charger that's out of spec and devices getting damaged using it. In theory if it doesn't handshake with it's certs, it will default to whatever safe level (or no access) is default.
Mind y
Re: (Score:2)
Devices were putting themselves in danger by not having basic electrical protection on the ports. In 90s, this was such a common (and commonly solved) problem that the Tawainese motherboard manufacturers listed all sorts of per-USB-port short, over voltage, over current, etc. protections on the box.
It became a problem again with USB 3 because the first players to the market with USB controllers didn't learn their lesson from the USB 1.0/1.1 days. There's absolutely no reason a bad USB cable should be able to kill an entire device. At worst, it should kill a single port. Ideally, it would have a replaceable/resettable fuse so you don't even lose the port.
Pretty words; but here in the real-world, things are not always so neat and tidy...
Still not so much fun for us laptop owners. And too many micro-fuses on Ports are neither easily replaceable nor resettable.
There are electronic fuse designs you can reset with a switch. There are physical fuse designs that reset when they cool down.
This is ancient fucking technology in the electronics world.
Re: (Score:2)
Re: (Score:2)
To be fair, Amazon was selling a ton of cables that didn't meet the spec and were putting devices in danger of being legitimately damaged.
The solution to this is not "software authentication". It's proper hardware design.
Re: (Score:2)
Well yes, of course.
But that costs money as does the implementation.
When you're selling cheap cables that are even more cheaply made...you often don't spend that money.
Re: (Score:2)
It's not up to the cable to be expensive. It's up to the device at either end to limit itself to a safe level. We've repeated the mistakes from early USB 1.0 devices. And no protecting does not cost money for implementation, at least not significantly due to the incredibly low cost of protection devices and the fact that they are often baked into the silicon itself.
If you have a standard that auto-negotiates how to provide power, then that standard should also ensure that no possible misconnection scenario
Re: (Score:2)
I can see it now. I am sorry, the certificate on your charging cables does not match the approved list on the phone and thus you need to order a new charging cable from the vendor. Oh, and if you persist in trying to use the non-approved cable from Amazon, we will be forced to void your warranty. Remember kids, only use Vendor OEM USB Devices. Everyone else is just a crook.
This can absolutely be used that way. Not that different from DRM.
On the other hand it can be used to prevent that rogue USB flash drive you found on the parking lot from installing a key logger in your computer.
There is no evil in the technology itself, the evil is in the heart of men.
Re: (Score:3)
Re:Authorized Devices Indeed (Score:5, Insightful)
On the other hand it can be used to prevent that rogue USB flash drive you found on the parking lot from installing a key logger in your computer.
Not at all. That Rogue USB flash drive will still be able to contain installable malware. Nothing about the authentication standard changes that.
Re: (Score:2)
Not at all. That Rogue USB flash drive will still be able to contain installable malware. Nothing about the authentication standard changes that.
The problem is not having installable malware. The problem is a rogue usb device that pretends to be a usb drive, but also behaves as a usb keyboard, and as soon as it is inserted, it presses Win+R and run whatever it wants without user intervention.
If the devices are required to be digitally signed, the os can refuse keyboards or other devices from running stuff without user permission. If the USB drive has a file with malware and you run it, well, that is your own damn fault.
Re: (Score:2)
problem is a rogue usb device that pretends to be a usb drive, but also behaves as a usb keyboard, and as soon as it is inserted, it presses Win+R and run whatever it wants without user intervention.
Uhm... in this case, WHO gets to decide what hardware is legitimate?
There are perfectly USB devices that act as HID devices "pretend to be keyboard" for perfectly legitimate reasons -- things like
remote KVM over IP devices with Virtual Media, Auto-Typers, Mouse Wiggler, Two-Factor Auth tokens such as Yu
Still haven't seen one (Score:1)
I have seen a lot of adapters mislabeled as that, but never a true charger.
USB Power Delivery (Score:3)
I'm not sure what you mean here. Do you mean that an adapter meeting the Battery Charging spec [usb.org] or its successor the Power Delivery spec [usb.org] is not a "USB charger"? Or do you just mean that the vast majority of power adapters on the market with a USB A or C receptacle materially fail to meet the spec?
Re: (Score:1)
https://www.amazon.com//dp/B07... [amazon.com]
a charger.
Its a adapter. Rectifier technically.
Re: (Score:3)
Re: (Score:2)
Not so much grammar. I don't get a blue line under bad use in my browser.
Re: (Score:1)
Re: (Score:3)
I'd say locked bootloaders on laptops and routers and HDCP over HDMI all predate this by a wide degree.
Re: (Score:2)
This protects additional revenue streams (Score:2)
From the summary:
"This protects against potential damage from non-compliant USB chargers and the risks from maliciously embedded hardware or software in devices attempting to exploit a USB connection."
I think the summary omitted:
More importantly, this protects against loss of revenue to 3rd party vendors who make USB chargers.
If it was only about compatibility and non-compliant chargers, USB-IF certification should suffice. As for malicious attacks, no certificate is going to protect the port against a brut
Re:This protects additional revenue streams (Score:4, Insightful)
As for malicious attacks, no certificate is going to protect the port against a brute force "fry the port" chargers.
Malicious actors are likely going to find a way of cloning the certificate off a legitimate USB Host and simply re-using that identity.
This is all Apple was waiting for... (Score:5, Interesting)
...to transition from Lightning to USB-C. They had to have a way to maintain their revenue from selling $20 cables, and licensing the ability to sell authorized cables. I don't know how many lightning cables I've thrown away because they worked for three months, then Apple updated IOS and blocked them.
Now I'll have to buy Apple USB-C cable, and HP USB-C cables, and Lenovo USB-C cables, and Nikon USB cables, and Microsoft USB cables. And, with OEMs promiscuously relabeling each others products, I'll never know which cable to use with which devices.
They've re-invented the RS-232 connection nightmares, but without the ability to carry a bag of dongles that might straighten things out. And so dies USB as the most successful cabling and protocol standard in technology history.
Re:This is all Apple was waiting for... (Score:5, Interesting)
Do you really think Apple will be the only one to abuse this DRM-inside-the-cable bullshit?
Re: (Score:3)
So ultimately, it still boils down to boycotting companies like Apple until they start behaving and making consumer-friendly products. You're assuming the me
Re: (Score:1)
This year's iPad Pros already switched to USB-C.
Re: (Score:2)
They had to have a way to maintain their revenue from selling $20 cables, and licensing the ability to sell authorized cables. I don't know how many lightning cables I've thrown away because they worked for three months, then Apple updated IOS and blocked them.
I'm going to disagree with you before agreeing with you.
For my part, I've been buying extra Lightning cables for years—not a single one of which was from Apple—and have never run into anything like what you're describing. I purchased extras from AmazonBasics (in 2013), Fordigi (2014), iXCC (2014), Kinps (2015), and Anker (2018), as well at least one other brand whose name I can't even remember in 2018, and I've never had a single one fail to work with a new device/accessory, with other people's
Opposite attraction (Score:1)
This is completely the opposite to what I like about USB C. USB - universal. My whole family has been eying up USB C and making purchase decisions based on that because the reality is batteries are so crap and can't be removed that everytime you visit someone else's house you need a charger. Now sure you can carry one in your pocket but that's not exactly always an option.
My mum has a MacBook air with a USB C cable and I plugy old nexus 6p into it happily. My girlfriend has a Samsung galaxy note 9 and we ha
CAN BUS for computers! (Score:2)
Re: (Score:2)
At least Ford terminates all CAN busses right on the DLC instead of having a stupid ass gateway in front of it.
Why the cable? (Score:2)
Re: (Score:3)
Conductor ampacity, resistance, and maximum voltage would be simple starting points.
I do agree that this has far more potential for vendor abuse that consumer protection. I bought my first portable USB-C device over the weekend (an iPad) and am really pissed off about the limitations imposed by the solution even today. My must-have travel charger kit went from a 6-port multi-output charger with dongles for micro-USB, Lightning, Apple Watch now needs a new cable, and potentially a new multi-output charger.
Re: (Score:3)
Do not want. Putting additional intelligence in cables just increases the odds of the cable failing because some unnecessary chip decides to stop working. And a couple of those don't even make sense:
Re: (Score:2)
The resistance should be approximately zero
That's where real life gets in the way. You have three parameters: very low resistance, small/flexible cable, and low cost. Pick any two.
This issue will keep getting worse as time goes by and we demand faster and faster charging. Even now most phones play it safe by slowly ramping up current draw until the voltage starts to sag too much, figuring that is probably a safe point where the cable won't catch fire.
Re: (Score:2)
Fray that cable, and the current capacity just dropped. But it was safe - because I plugged it in and it said "safe"! Use 24 AWG, and you're good for about 4A of current... How much more do you need than that?
For my charging purposes, I use my laptop (Lenovo P71) that has a USB 3.0 port that are always "live" - regardless of the laptop being plugged in or turned on. I carry a three-adapter cable [amazon.com] in my backpack to keep not just my Note 8 and Bluetooth devices charged (USB C and micro B USB), but have bai
Re:Why the cable? (Score:4, Insightful)
The USB Type-C standard already mandates an active cable if you want to utilize the full 5A that the standard can supply. It might not have information on the condition of the cable - but nothing can prevent users from being stupid. It is just another level of security which, with all the other protections, helps prevent damage when power traverses USB.
It is easy to add an IC to a USB connector - they are basically designed for it. See this [digikey.ca] part to see how it is typically done. So adding the ability to verify the cable does make sense for workplaces that require the security. It is just too easy to, for example, add a keylogger to a cable.
No computer manufacturers would ever get away with requiring authenticated cables. Apple might try but the public outcry would be immense. That being said - having it as a bios setting is exactly what a certain subset of users require.
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
apple changer $29.99 apple car cig changer $39.99 (Score:2)
apple changer $29.99 apple car cig changer $39.99. euro plug for us phone $39.99
all 3rd party locked out.
Can we make cables that actually stay plugged in? (Score:2)
Re: Can we make cables that actually stay plugged (Score:1)
Or maybe clean your pockets out more often? Get a port cover? Stop rolling around in lint?
Re: (Score:2)
Oh wow. Are you serious? Also you realize that dust and dirt can get inside the male USB C connector itself and cause all sorts of mechanical problems.
I love that everyone is standardizing on the same type of connectors, but let's not fool ourselves that these are the most robust connectors in the world. And this cable DRM scheme is certainly disappointing, if not surprising.
Re: (Score:1)
Oh wow. Are you serious? Also you realize that dust and dirt can get inside the male USB C connector itself and cause all sorts of mechanical problems.
I love that everyone is standardizing on the same type of connectors, but let's not fool ourselves that these are the most robust connectors in the world. And this cable DRM scheme is certainly disappointing, if not surprising.
Get yourself a magnetic USB charging cable. The magnet goes into your power port, and then you can use the magnetic cable to "snap" onto the device of your choice. Then get another because you have become to lazy to move it to the bed from your desk. So convenient.... ( 8(|) Mmmmm
Technical details (Score:2)
Here's a press release [usb.org] with some technical info. It says that the full details are in a "USB Power Delivery 3.0" (a new revision) and "USB Type-C Bridging" (a new specification).
Is this due to the poor quality of USB cables ? (Score:2)
I thought, this might be the USB consortium, attempting to improve the atrocious reputation USB C has.
It (to my knowledge) can still fry your phone, nintendo switch, or whatever you plug into it, if you use a cheaper cable.
If you purchase one of those high end, new USB-C battery packs, then plug in a USB-C to USB-C cable into another pack? What happens?
I don't know, but it's certainly, physically possible.
I know Nintendo switches have been destroyed, I know Benson at Google lost a Chromecast due to a poor U
Not a new concept... (Score:2)
..because this is rent-seeking of the highest order.
Honestly, my cables do not need to be signed. I just need to exercise some discrimination and buy from reputable manufacturers.