USB-C Authentication sounds great, so why are people worried?

What do Stuxnet, BadUSB, USB Killer, and rubber duckies have in common?

The common theme isn’t hard to spot – they’re all computer attacks that launch from USB flash drives.

The problem with USB devices (or the attraction, if you’re a cybercriminal) is that they’re a devastatingly simple way to sneak malware on to computers, especially important ones protected by air gaps.

There are so many malicious possibilities, in fact, that Israeli researchers were recently able to list no fewer than 29 different ways USB devices can compromise almost anything they’re plugged into.

In 2016, the USB 3.0 Promoter Group (Apple, Microsoft, Intel and others) announced its solution in the form of the USB Type-C Authentication specification.

This protocol would, they promised, cryptographically verify the identity of USB-C devices such as flash drives and chargers before a data or power connection is made, making it impossible for fake or malicious drives to exploit a computer.

At a stroke, organisations would have a way of blocking rogue devices from being plugged into their computers by disallowing unverified devices by policy.

Consumers, meanwhile, would be able to use chargers at airports without fear of attacks and know that any chargers, cables, docks, adapters, and drives they bought were the real deal and not fakes.

In theory, it would also make it impossible for attackers to alter a device’s firmware somewhere in the supply chain because this would break verification.

Last week, an important element of this – the program under which DigiCert will dish out digital certificates used to verify devices at firmware level – was confirmed by the USB Implementers Forum (USB-IF), which means that USB-C Authentication should start appearing in products this year.

It sounds like a long-overdue security upgrade so why are some commentators still wary?

Look no further than paragraph two of last week’s press release:

USB Type-C Authentication empowers host systems to protect against non-compliant USB chargers and to mitigate risks from malicious firmware/hardware in USB devices attempting to exploit a USB connection.

Notice the phrase “non-compliant USB chargers”, which has been interpreted by some as the beginnings of a DRM-like system tying buyers to branded products.

Own a smartphone from manufacturer X? USB-C Authentication would rule out counterfeit products but it might also mean you’re tied to buying ‘approved’ cables, chargers and other accessories from that device’s maker too.

It’s not clear whether this would be an issue for devices plugging into a Windows PC (e.g. a laptop maker forcing users to buy branded USB sticks) because the drivers enabling this would be controlled by Microsoft. Android smartphones might offer more leeway.

It’s important to remember that, unlike USB standards of old, USB-C is being pitched as a ubiquitous interface for almost everything that’s not covered by wireless standards such as Bluetooth, including monitors and headphones, as well as storage.

On the other hand, USB-C Authentication is not mandatory so the concern over manufacturer power might end up focussed on a few types of devices such as chargers, where fakes have become an issue.

Certainly, companies selling USB flash drives meeting government standards such as FIPS-140 Level 1 and above will be a welcome new layer of security. It would be a great shame then if worries over hardware DRM by the back door erodes the image of an initiative with such promising security benefits.