System administrators have had to take additional precautions over the past several years in order to avoid abuse of USB ports on devices. Today, the USB Implementers Forum has officially launched the USB Type-C Authentication Program that sets standards for improved security.
When a USB cable is plugged in, there is not currently a good way of determining whether there is anything malicious happening in the background. Hardware modifications to cables allow for some extremely stealthy attacks to be carried out that could be hidden in plain sight.
For USB chargers that negotiate power delivery with connected devices, there is still a high risk of a malicious person falsifying parameters. This could cause a device to be physically damaged by requesting a voltage that cannot be safely accepted.
Under USB-IF's authentication program, OEMs will be able to certify that their USB Type-C products are protected against most current attack methods. Certified devices will use 128-bit encryption for authentication to verify that modifications have not been made. DigiCert will be the provider of public key infrastructure and manager of CA program participants.
Software policies on Type-C devices will be able to restrict USB functions based on certification status. For example, it would be possible to only allow phone charging at public terminals that pass a validation check.
At the current time, participation in the authentication program is optional for OEMs. However, it would not be surprising for hardware makers working in sensitive industries to quickly accept and adopt the standard. Rest assured that all of the dollar store phone chargers will not be adding any additional protections.
Image Credit: Kontrymphoto via Shutterstock