New USB-C authentication spec protects against malware and shoddy chargers
The new capability lets a device check a variety of items about a charger or cable’s credentials, including its descriptor, capabilities, and certification status. The process will use 128-bit cryptographic signatures for authentication.
Protecting against inappropriately designed USB chargers is only one focus of the new specification. It’s also meant to protect against malicious hardware or software attempting to deliver an exploit via USB.
It’s not clear when we can expect device and peripheral makers to start building the authentication into their products. Once it is running, the USB 3.0 Promoters Group imagines a number of scenarios where the new specification will come in handy.
If you’re concerned about charging your phone at a public terminal, for example, your handset can be set to only allow power from certified chargers. Or, an IT department could use the technology to allow only verified USB storage devices to interface with company PCs.
The story behind the story: The new authentication specification comes several months after Google engineer Benson Leung began fighting against shoddy USB-C cables. Since November, Leung has been reviewing Type-C USB cables—including Type-A to Type-C—and calling out those that aren’t up to “code” and have the potential to harm your device. In late March, Amazon also joined the fight by blacklisting non-compliant USB-C cables. Now with the new authentication specification, it should become even easier to avoid poorly developed cables that have the potential to harm your gear.