USB-C adds authentication protocol The USB 3.0 Promoter Group has announced it has devised and will adopt a new “USB Type-C Authentication specification.” The specification means makers of USB devices will be able to encode them with information about their source and function. When connecting to those devices, machines like computers or phones will be able to …
I don't know about cables, but certainly only official chargers will be allowed as a charger loaded with malware will look like the real thing. As a side effect official chargers could come with USB-C cable that can't be detached.
What was wrong with those chargers with just a pin connector...
>What was wrong with those chargers with just a pin connector...
Not a lot - they were very ergonomic, much easier for people with limited dexterity or eyesight to use than microUSB. However, such people would benefit even more from charging docks or wireless charging solutions.
Ultimately, phones have got smaller, so designers have looked at ways to save space. Phones needed a data connection anyway, and then the EU mandated microUSB.
Most of the pin connectors were hard-cabled to the older, inefficient sort of power adaptor - the kind that was heavy and got warm during use.
Ha, I even remember a mate's Nokia that had a pin connector for charging and a mini USB socket for data - but it wouldn't charge over miniUSB, which was just frustrating.
The EU mandating USB went wrong because manufacturers came up with their own ways of negotiating current draw over USB instead of following the standard just to save a few pence.
I don't think having a pin plug implies that the charger must be inefficient, it was just that chargers then were less efficient than now.
The Symbian 3 ones did charge over USB, but only at 500mA.
It's already there - an cheap unlicensed lightning cable might work today but is unlikely to work with the next generation of whatever you're charging with it. This brings the same lock in potential to USB.
You're dead right - but the OEM cables will be marketed as assured quality or some such nonsense and the after market can either trial and error reverse engineer things or pay for the licence and pass the cost on.
Actually, on first read, this says nothing whatsoever about cables. It does say _chargers_ could be identified, but USB is point-to-point - there is a host and a device, no third parties on the wire, so a cable has no place to get in on the action. Tying pins here and there could just about be crammed into the spec later, but full fledged communication cannot occur with a cable unless it IS the host itself - in which case you cannot talk to any potential hosts in the charger itself (well technically you could try to make the cable some sort of one-port hub, but I don't see any evidence of that here). This seems to be all about authenticating _chargers_...
I wonder how they prevent copying the key off a whitelisted device onto either a cheap Chinese clone or an evil device that will try to compromise the USB host.
What USB need is a way to limit devices to certain functionality - if I plug in a charger cable it should only be capable of providing power, it should be unable to do anything else. I don't know if the USB standard even allows for the host to do this - like for instance, only if I hold down the home button while plugging in my phone would I enable bidirectional data access on the USB port. Otherwise it would only be able to receive power, nothing else. That's a much better way of preventing rogue USB chargers, and something it would be impossible to overcome by simply copying a public key.
Another possible method:
- Carry a short length of USB male > female cable that only has power pins connected. For the next few years, this would be a handy cable anyway, because it could be microUSB.female > USB.C.Male, thus allowing owners of new phones to use a common microUSB charger.
A method to Doug S method has been implemented before - I've had gadgets that connect for power only (at a higher rate of mA) when turned off, and connect with data when turned on. It used to be (in USB 2) that many devices would charge more quickly on cables with the data pins shorted (AFAIK the thinking was to limit the draw gadgets would make on a host PC's USB bus).
I am slightly wary of not being able to access a device's storage by USB if a hardware button is broken, but TBH that is the situation at the moment (to access the internal storage of an Android phone with a damaged digitiser you need to use USB OTG to unlock it - if you haven't previously turned on USB debugging).
Dave 126
>Carry a short length of USB male > female cable that only has power pins connected
Nice idea but from the article:
"Once USB-C becomes ubiquitous and makes a single wire responsible for carrying power and data, even the dimmest hackers will likely cotton on to the opportunities to craft crooked chargers or other evil devices"
> Nice idea but from the article: "Once USB-C becomes ubiquitous and makes a single wire responsible for carrying power and data..."
The article means *cable", not *wire". USB C still has dedicated power pins, discrete from its data pins. The 'short length of cable' I referred to would be one modified so that only its power pins were still connected. Such a solution will give the cautious / paranoid user more peace of mind than any software approach.
A USB C pin-out diagram is here:
http://bi9he1w7hz8qbnm2zl0hd171.wpengine.netdna-cdn.com/wp-content/uploads/2014/09/USBTypeCPinOutDiagram.jpg
"
Nice idea but from the article:
Once USB-C becomes ubiquitous and makes a single wire responsible for carrying power and data,
"
It's still entirely possible. Just carry a cable or adaptor that has a low-pass filter (i.e. choke & capacitor) to allow power through but prevent data.
That would be wrong. USB type C will allow a single cable to carry both power and data. It does NOT make a single wire within that cable do both. The author of the article is wrong. Of course all USB did that but power was expected to only go out a USB host port, not in, while type-C allows both directions (as the new Macintosh devices take advantage/abuse of).
Phones all need the ability to completely disable everything other than the charging function on their ports.
Some has a Do you trust this computer message when you plug in.
We really need something like:
A prompt for:
Charge only?
Data connection?
Audio accessory?
With the phone requiring a pin unlock etc before doing anything other than charging.
For extreme security phones, an extra dumb charging port without any data services at all might be useful.
You could easily have a USB C data port on the top with a cover and a changing port on the bottom.
Bottom port only capable of charging the battery.
Some Sony Xperia phones had a similar feature - two external nubbins mounted on the side of the phone, for charging from docks. Of course the required a non-standard cable or dock to use, so isn't directly applicable to the scenario sketched out here (i.e. you want to use an untrusted but common power plug. )
I've noticed that in the Cyanogenmod 13.1 nightlies that it defaults to Charge Only when you first plug in a USB cable, and you have to choose to select either Media Device or Camera as options if you want to transfer files.
Slightly annoying when I forget and can't work out why my computer hasn't detected my phone, but otherwise it makes sense.
...I'm actually expected to do this by work in the hope we might find out who it belongs to and return it to them. I managed to get the responsibility passed to me from the Receptionists who usually manage lost property because I at least have a bunch of disposable linux VM's to try it on.
There is a big risk that this could encourage the likes of Samsung et al to gimp their phones so they're "optimised" for their own brand chargers and discriminate against other makes.
It's bad enough that Apple do this but potentially everyone could now. In fact Apple could even switch from own connector for USB and still have the means to screw over the user by controlling what peripherals and devices they are allowed to plug into it.
Also - if these cables need to do sophisticated encryption and handshaking so that the device will accept them, does it also mean that the cable itself needs to have expensive active components? One more excuse to crank up the price, argh.
@horridbloke - there is a device that is available that "neuters" a USB connection so that only power gets through. It was reported on El Reg some time ago, in fact a little googling finds the USB Condom http://int3.cc/products/usbcondoms, or there are many instructions online on how to create your own. Granted that is for traditional USB but aren't the cables interchangeable on the host end?
Yes, there are power-line-only dongles for traditional usb connectors. The issue with USB-C is power and signalling on the same pin, so that traditional approach doesn't work. I'm wondering whether the introduction of a cunning capacitor or something (I don't do hardware) would enable current flow but wreck the signalling needed for any communication. The big question there is whether some signalling is needed to negotiate / request current - something USB devices are supposed to do but don't always.
>The issue with USB-C is power and signalling on the same pin
Can you expand upon that, Horridbloke? On every Type C pin-out diagram I can find, power and data are on separate pins.
There are some further pins called 'USB power delivery communication' but they are just data pins dedicated to communicating power draw and the like.
As described, this looks like it could be a preventative for the "bank of capacitors in a thumbdrive" attack. If said thumbdrive does not authenticate itself, it gets no power, and cannot fry the USB host. Or would said sabotage-minded thumbdrive be able to send the current across in lieu of authentication and do the damage before the host can lock it out?
"
As described, this looks like it could be a preventative for the "bank of capacitors in a thumbdrive" attack. If said thumbdrive does not authenticate itself, it gets no power, and cannot fry the USB host."
How could a device authenticate itself if the host does not supply it with power first?
How with this stop the "voltage multiplier in a thumb drive case" scenario?
Just mix a certified device with the malicious hardware, and piggyback on the power. Sure, it will cost a bit more. But you probably are especially cost-sensitive when building a destructive device.
Nor will this stop mis-wired cables destroying devices.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
