USB Type-C Auth: Now Monopolizing Backdoors in Yer ROM's

grarpamp grarpamp at
Thu Jan 3 00:01:48 PST 2019"badusb"

Not your keys, not your hardware.
Not open, not yours.

With the arrival of USB-C a few years back, plugging into laptops,
tablets and smartphones became even easier than before. Users no
longer had to worry about which way up the cable needed to be before
pushing the 24-pin connector into a device's port, and could also look
forward to fast data transfer and power delivery too. But there are
potential security risks. The USB Type-C Authentication Program
launched today aims to address such issues.

Trustingly plugging a USB charging cable into any available public
port can leave your device open to attack from hidden malware, could
cause permanent damage from a power surge and may even open the door
to your personal or business data.

The new protocol from the USB Implementers Forum (USB-IF) can be used
to validate the authenticity of a cable, charger or hardware at the
moment of connection, and stop attacks in their tracks.

The USB-IF has chosen DigiCert to operate registrations and
certificate authority services for the new specification, which makes
use of 128-bit cryptographic-based authentication for certificate
format, digital signing, hash and random number generation.

"USB Type-C Authentication gives OEMs the opportunity to use
certificates that enable host systems to confirm the authenticity of a
USB device or USB charger, including such product aspects as the
descriptors, capabilities and certification status," said DigiCert in
a press release. "This protects against potential damage from
non-compliant USB chargers and the risks from maliciously embedded
hardware or software in devices attempting to exploit a USB

At launch, the program is optional but with more and more
manufacturers including USB-C connectivity on their devices, it's a
welcome addition to the security toolkit.

More information about the cypherpunks mailing list