The security of USB-based connections and devices is taking a step forward, with the official launch of the USB Type-C Authentication Program on Jan. 2
USB devices have become ubiquitous in modern computing, and in recent years USB Type-C has been introduced on leading notebooks, smartphones and other connected devices because it enables faster data transfer and more power delivery than the larger USB Type-A interface, which has been widely deployed. While USB devices and interfaces have been broadly adopted and used across the computing landscape, they have also introduced new risks, by simply plugging in a malicious USB device.
“USB-IF [USB Implementers Forum] is excited to launch the USB Type-C Authentication Program, providing OEMs with the flexibility to implement a security framework that best fits their specific product requirements,” USB-IF President and COO Jeff Ravencraft wrote in a media advisory. “As the USB Type-C ecosystem continues to grow, companies can further provide the security that consumers have come to expect from certified USB devices.”
In the early days of USB, many operating systems had default operations to open and enable the contents of a connected USB device, which is something that attackers have been able to exploit in the past.
Malware delivered via USB is suspected to be the root cause of infection behind the Stuxnet virus that shut down Iranian nuclear centrifuges in 2010. Back at the Black Hat USA 2013 conference, security researchers demonstrated the MACTANS attack against iOS devices, where simply plugging an iOS device into a malicious USB charger could lead to malware infection. At Black Hat USA 2014, additional USB attack vectors were disclosed that could have potentially enabled USB accessories to infect vulnerable systems.
One of the solutions to USB risks that has been implemented in recent years by operating system vendors is to not implicitly trust any USB devices on first run, instead requiring users to either trust or click a button to open and enable a given USB device. With USB Type-C Authentication, the USB-IF is going a step further, taking a cryptographic approach to helping protect USB users and devices against potential risks.
The USB-IF is a multi-stakeholder organization tasked with advancing the state of USB specification and technology adoption. The USB Type-C Authentication Specification was first defined in 2016 as a mechanism to help confirm the identity and authenticity of a given USB device.
With the authentication specification, compliance with USB specifications is validated in an effort to prevent potentially dangerous devices and chargers from connecting to a system. The specification can also limit the risk of malicious software that might be embedded within a USB device from attacking a system. According to the USB-IF, the authentication specification enables implementors of the standard to authenticate certified USB Type-C chargers, devices, cables and power sources. The specification defines an approach that validates a USB device as soon as it is plugged in and before other data or power is transferred.
DigiCert
The authentication program relies on cryptography to validate and digitally sign USB Type-C devices with 128-bit security. The USB-IF announced in November 2018 that DigiCert was selected to be the official registration and certificate authority operator for the digital certificates that will enable the USB Type-C Authentication program.
DigiCert is well-known in the Public Key Infrastructure (PKI) and Certificate Authority market as one of the largest vendors in the space. DigiCert acquired Symantec’s Certificate Authority business unit in October 2017 in a $950 million deal.
“DigiCert is excited to work with USB-IF and its CA Program Participants from the industry at large to provide the technical expertise and scale needed for the USB Type-C Authentication Program, and we look forward to implementation,” Geoffrey Noakes, vice president, IoT Business Development at DigiCert, wrote in a media advisory.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.