USB-C Authentication certification stops security attacks through malicious chargers

Several security experts have warned that a bad actor with a malicious version of the standard power adapter or charge cable could easily damage your computer or another USB-C device, even deliver malware to it in just a few seconds. A new USB-C Authentication certification introduced today by the USB Implementers Forum (USB-IF) seeks to put an end to that.

This program is primarily meant to solve the issue of an increasingly fragmented market for USB-C cables, which more often than not limit power delivery or charge speed—or both. Not only does it ensure your charger or cable itself is safe to use, but could make iPhone passcode cracking via specialized hardware like GrayKey’s forensics tool way more difficult.

ROUNDUP: Everything you can do with the USB-C port on 2018 iPad Pro

Apple is a USB-IF member so this technology should make its way into future Macs, iPads and other devices that use USB-C (iPhones could switch to USB-C in 2019).

The new protocol uses cryptographic-based authentication for USB-C chargers and devices.

USB Type-C Authentication empowers host systems to protect against non-compliant USB chargers and to mitigate risks from malicious firmware or hardware in USB devices attempting to exploit a USB connection. Using this protocol, host systems can confirm the authenticity of a USB device, USB cable or USB charger.

All of this happens at the moment a connection is made, before inappropriate power (that can damage your device) or data (like malware or other malicious code) can be transferred.

TUTORIAL: How to restrict USB data access on iPhone

Host systems are able to verify the authenticity of a USB-C device or charger, including things like the descriptors, capabilities and certification status.

USB-IF has picked DigiCert for their default certificate authority services.

Here are the key features of the new USB-C Authentication certification:

  • A standard protocol for authenticating certified USB Type-C chargers, devices, cables and power sources.
  • Support for authenticating over either USB data bus or USB Power Delivery communications channels.
  • Products that use the authentication protocol retain control over the security policies to be implemented and enforced
  • Relies on 128-bit security for all cryptographic methods
  • Specification references existing internationally-accepted cryptographic methods for certificate format, digital signing, hash and random number generation

While this program is optional, Apple will allegedly require that all MFi third-party chargers that are compatible with the USB Power Delivery standard also pass USB-C Authentication certification before they’re permitted to fast-charge your iPhone.

For those wondering, the Power Delivery standard allows for more flexible power delivery with up to a hundred watts of power, along with data, over a single cable. Devices which support the Power Delivery standard basically negotiate their power delivery requirements.

TUTORIAL: How to fast-charge your iPhone

The fast-charge feature, supported from iPhone X onward, charges the battery from dead to 50% in 30 minutes using a 15+W power adapter. Both USB Power Delivery and USB-C Authentication are important for this capability, with USB-C Authentication ensuring a charger meets the USB-C Power Delivery specification and is free of maliciously embedded code.

Who knew that in 2019 people would have to think about protecting themselves from malware attacks via uncertified shady chargers? That said, I for one am definitely glad that the USB organization has thought up how to solve those woes before they went mainstream.

What do you think?

Let us know by leaving a comment below.