New USB-C security program aims to squeeze out rogue USB-C devices, cables, chargers

Makers of third-party USB-C devices, cables and chargers could soon be under pressure to comply with official USB design specifications or face the prospect of not working with PCs and mobile devices. 

The USB Implementers Forum (USB-IF) announced the new USB Type-C Authentication Program on Wednesday, almost three years after unveiling a new authentication protocol for hardware makers to counter risks from rogue USB-C attached devices, chargers and cables. 

USB-IF’s board has representatives from Apple, Microsoft, HP, Intel and Texas Instruments. Notably absent from the board is Google, though a Chromebook engineer from the company, Benson Leung, has helped blow the whistle on bad USB-C cables sold on Amazon that destroyed his Chromebook. 

The idea behind the authentication program for USB-C is to allow host systems like PCs and mobile devices confirm the authenticity of a USB device, charger, or cable. It also allows the host to acquire details about the connected external object’s capabilities and certification status at the time it is connected, before any data can be transferred. 

USB-IF says the authentication protocol will allow host systems to confirm the authenticity of a USB device, cable or charger to mitigate risks from malicious firmware or hardware. 

The authentication program is optional, but presumably if OEMs like Apple and HP do adopt it, it could put pressure on cable and charger makers to comply with USB-IF’s specifications. It could mean, for example, that a non-certified USB-C charger at the airport simply won’t work when a user connects their phone to it. 

The authentication program covers USB-C chargers, devices, cables and power sources, and supports authentication over USB data bus or USB power delivery channels. 

USB-IF emphasizes that product makers will retain control over the security policies they want to implement and enforce. 

The program is underpinned by digital certificates and public key infrastructure (PKI) from DigiCert, the US certificate authority that bought Symantec’s digital certificate business for $1bn prior to Google removing trust for its PKI.  

“USB-IF is excited to launch the USB Type-C Authentication Program, providing OEMs with the flexibility to implement a security framework that best fits their specific product requirements,” said USB-IF President and COO Jeff Ravencraft. 

“As the USB Type-C ecosystem continues to grow, companies can further provide the security that consumers have come to expect from certified USB devices.”