An update to the USB-C spec aims to protect systems against hardware attacks

(Image credit: Pixabay (no attribution needed))

The USB Implementers Forum (USB-IF) is ringing in the New Year with the launch of its USB Type-C Authentication Program, an optional security protocol that could potentially make it less risky to plug in a USB device.

One way an attacker can compromise a system is by hacking a USB device and making modifications to the firmware or other hardware. If a user plugs in an compromised USB device, it can then infect the system, oftentimes silently.

The new spec enables OEMs to protect against these types of attacks by having the host system authenticate a USB device, cable, or charger. It happens as soon as the connection is made.

"USB-IF is excited to launch the USB Type-C Authentication Program, providing OEMs with the flexibility to implement a security framework that best fits their specific product requirements," said USB-IF President and COO Jeff Ravencraft. "As the USB Type-C ecosystem continues to grow, companies can further provide the security that consumers have come to expect from certified USB devices."

In addition to providing an added layer of security, the authentication program can also be useful in protecting against non-compliant USB chargers that might attempt to draw more voltage than is necessary, or safe.

Key characteristics of the new spec include the following:

  • A standard protocol for authenticating certified USB Type-C chargers, devices, cables and power sources.
  • Support for authenticating over either USB data bus or USB Power Delivery communications channels.
  • Products that use the authentication protocol retain control over the security policies to be implemented and enforced.
  • Relies on 128-bit security for all cryptographic methods.
  • Specification references existing internationally-accepted cryptographic methods for certificate format, digital signing, hash and random number generation.

This only applies to USB Type-C devices, which are not nearly as common as USB Type-A. Eventually, however, USB-C could become as ubiquitous as USB-A (right?!), and that's when this optional security update will be the most beneficial.