As security programs go, the USB Type-C Authentication Program has a lofty goal: to create a cryptographic-based authentication scheme that would protect host systems from malicious USB chargers, cables, and devices.
USB Type-C is commonly found on notebooks, smartphones, and other connected devices because it allows faster data transfer and more power delivery than other USB interfaces. However, many enterprises disable the USB ports on corporate devices because adversaries are increasingly targeting USB devices and ports. A better approach would be to let enterprises whitelist permitted USB devices. Users want assurances that the charger or the public charging station they are using will not fry their devices. The USB Type-C Authentication Program, unveiled by the non-profit group USB Implementers Forum, would make it possible to check the device (or cable) is what it claims to be at the moment it is plugged in the USB port.
The dangers of USB-based atttacks range from malicious payloads on the USB devices which can load malware—inject keystrokes, install backdoors, emulate mouse movements, log events and data, and hijack traffic—onto the host system, to counterfiet cables and chargers which deliver too much (or too little) power and damage the system. Researchers have shown how plugging a device into a malicious power charging station could result in the device being infected with malware. Under this authentication program, OEMs and vendors will be able to certify their USB Type-C products are protected against commonly-used hardware attack methods and have not been modified.
Many operating systems used to open USB devices automatically, but that is no longer the default behavior because of the increased risks. As a result, many operating systems implicitly do not trust USB devices on the first run, and requires users to actively open the connection to the device. The USB Type-C Authentication Program will provide manufacturers and OEM vendors with a security framework based on the USB Type-C Authentication specification, originally unveiled in 2016 by the USB-IF and the USB 3.0 Promoter Group. The protocol supports authenticating over USB data bus or USB power delivery communications channels and enforces 128-bit security for all cryptographic methods. The protocol will also let products retain control over the security policies.
The specification outlines how host devices would confirm the authenticity of whatever is plugged into the USB port immediately, before any data or power transfer is made. The system will either block or permit the transfer of data or power, depending on the result of the validation check. It's not the host that can make the validation check—a charger can also authenticate a host, said Jeff Ravencraft, president and COO of USB-IF.
OEM vendors and manufacturers can create products that meet the specification so that the host system can use the protocol to perform the authentication checks. Certified devices will use 128-bit cryptographic-based authentication for certificate format, digital signing, hash and random number generation. Certificate authority DigiCert will provide and manage the public key infrastructure and the certificates used for the program. OEM and device manufacturers will contact DigiCert directly to set up their PKI operations and for certificate issance, and DigiCert will provision a signed intermediate CA.
A company can issue certificates, via our certificate program with DigiCert, that can then be embedded in their products giving their products a specific proof of identity and capabilities," said Ravencraft. "Companies' CA operations are rooted in the USB-IF CA.
At this point, the primary motivation for the program seems to be less about blocking attacks using malicious hardware, but rather addressing the problem of counterfeits. The approach will identify the product was actually made by the manufacturer, but may not have measurable impact attesting to the security of a given device. Windows exert Alex Ionescu was concerned that including the authentication functionaliy on the low-level could potentially introuce more bugs and increase the attack surface.
"Primary purpose is to fight counterfeits and help identify malicious or uncertified products," Ravencraft said.
The program opens up a lot of potential use cases for enterprises, such as being able to set security policies to restrict USB functions based on certificate status. For example, enterprises can set policy to allow allow phones to be charged only at public terminals that pass the validation check.
"[Enterprises] will be able to define a policy for dealing with products that have a certificate and those that don't," Ravencraft said.
However, for individual users, there is a risk that this program could become over-restrictive and impose a form of hardware DRM, making devices incompatible with other USB Type-C products in the market. The program is open-ended and leaves it up to the individual vendors on how to use the certification program. Vendors can use the program to also restrict support for only approved (certified) devices, such as being unable to use a cable from another brand. If the Samsung device needs its own Samsung cable as opposed to using the one from LG or a generic one purchased off Amazon, this would seriously impact useability. All exiisting cables would be unlikely to be certified, so users may be forced to swap out cables at some point.
“The intention of the program seems good, but there is certainly room for abuse," Joe Fedewa wrote over at XDA-Developers. "USB-C has been a promise of one standard connector for all devices. We’d hate to see that ruined by devices that won’t allow users to use perfectly safe 3rd-party accessories.”
Hardware manufacturers haven't said they will use the program to lock consumers into only using "supported" accessories, but the potential is there. USB-IF consists of representatives from manufacturers including Apple, HP, Intel and Microsoft, so these companies likely are working on these products. The program, which is ready to issue certificates, is currently optional for OEMs to participate in. There is time to see how the certification rules would evolve.
Image credit: Photo by Stefan Steinbauer on Unsplash