New USB-C security program aims to squeeze out rogue USB-C devices, cables, chargers

Makers of third-party USB-C devices, cables and chargers could soon be under pressure to comply with official USB design specifications or face the prospect of not working with PCs and mobile devices. 

The USB Implementers Forum (USB-IF) announced the new USB Type-C Authentication Program on Wednesday, almost three years after unveiling a new authentication protocol for hardware makers to counter risks from rogue USB-C attached devices, chargers and cables. 

USB-IF’s board has representatives from Apple, Microsoft, HP, Intel and Texas Instruments. Notably absent from the board is Google, though a Chromebook engineer from the company, Benson Leung, has helped blow the whistle on bad USB-C cables sold on Amazon that destroyed his Chromebook. 

The idea behind the authentication program for USB-C is to allow host systems like PCs and mobile devices confirm the authenticity of a USB device, charger, or cable. It also allows the host to acquire details about the connected external object’s capabilities and certification status at the time it is connected, before any data can be transferred. 

USB-IF says the authentication protocol will allow host systems to confirm the authenticity of a USB device, cable or charger to mitigate risks from malicious firmware or hardware. 

The authentication program is optional, but presumably if OEMs like Apple and HP do adopt it, it could put pressure on cable and charger makers to comply with USB-IF’s specifications. It could mean, for example, that a non-certified USB-C charger at the airport simply won’t work when a user connects their phone to it. 

The authentication program covers USB-C chargers, devices, cables and power sources, and supports authentication over USB data bus or USB power delivery channels. 

USB-IF emphasizes that product makers will retain control over the security policies they want to implement and enforce. 

The program is underpinned by digital certificates and public key infrastructure (PKI) from DigiCert, the US certificate authority that bought Symantec’s digital certificate business for $1bn prior to Google removing trust for its PKI.  

Read more: Microsoft's $25k AI challenge: predict which Windows PCs will be infected with malware

“USB-IF is excited to launch the USB Type-C Authentication Program, providing OEMs with the flexibility to implement a security framework that best fits their specific product requirements,” said USB-IF President and COO Jeff Ravencraft. 

“As the USB Type-C ecosystem continues to grow, companies can further provide the security that consumers have come to expect from certified USB devices.”


Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags MicrosoftGoogleAppleUSB 3.0 Promoter Group

More about AmazonAppleGoogleHPIntelMicrosoftSymantecUSB Implementers Forum

Show Comments

Featured Whitepapers

Editor's Recommendations

Brand Page

Stories by Liam Tung

Latest Videos

More videos

Blog Posts