Apple wants to stop you from using dangerous USB-C devices

Credit to Author: Jonny Evans| Date: Fri, 04 Jan 2019 07:16:00 -0800

Apple wants to make it harder for its customers to use cheap USB-C cables — and it’s for your own good.

Cables are complicated, and that’s why friends don’t let friends connect cut-price or otherwise unverified USB-C cables to their systems — and soon, you won’t be able to.

Apple has warned its users to avoid using low-quality equipment for years. It was only in 2016 that it was revealed that hundreds of chargers at that time sold on Amazon and advertised as being made by Apple were in fact dangerous fakes.

These fakes were likely to cause electric shock or burst into flames if exposed to high voltage, typical in the event of a power surge.

Not only might cheap cables be poorly made and liable to accidentally damaging your device or setting themselves on fire, but there are other risks.

Modified cables are also sometimes used as an exploit attempt by hackers eager to install malware inside of your devices. That’s even before we look at systems that use USB to penetrate device security to steal your data, or USB thumb drives used as exploits in organised attacks against key infrastructure.

With so much enterprise and personal data stuffed inside our devices, most right-thinking people will want to protect themselves against any of these threats.

So, it seems, do the manufacturers, with Apple and other members of the USB Implementer’s Forum (USB-IF) announcing plans to introduce a USB-C authentication program they hope will help protect us against these risks.

The USB Type-C Authentication Program is a scheme in which computers, smartphones, and other “host systems” will be able to identify USB-C cables that don’t meet the grade.

When in place, it will work like this:

What’s really important is that this protection is put in place before any power or data is exchanged between the systems. The certification authority is DigiCert.

Enterprise users know their data is at risk.

Data stacks are driving infrastructure, proprietary data collections will drive future business opportunity, and recent events have underlined how these collections of information can be abused to create incredibly difficult to fix problems.

Getting hold of that information is a big business — all three of the following attack vectors will have been exploited in order to access data — either by injecting malware to gather data and send it back to a central command server or to penetrate device security in another way.

The USB-IF decision is a big step toward ensuring your valuable enterprise data is not stolen, damaged, or subjected to ransomware as a result of those types of attacks.

Apple already does something like this.

iOS 12 introduced a new feature called USB Restricted Mode. You control this feature in Settings>Face ID & Passcode in the Allow Access When Locked section using the USB Accessories tool.

In part, Apple’s decision to introduce these controls reflects its crystal-clear commitment to privacy in a connected age.

That’s the same commitment that means it is developing AI solutions that work at the edge, on your device.

However, it’s a commitment that is also driven by all the many instances in which systems have been damaged or in some cases, fires started through use of poor-quality cheap recharging systems.

I doubt there are any manufacturers that want to be seen as responsible if someone is hurt or their property damaged because the device they were charging caught fire because its power adaptor was unsafe.

What is interesting about this pan-industry initiative is how much it reflects that after a certain amount of time, players in any industry are forced to expend increasing quantities of resources securing their existing perimeter simply in order to stand still.

That’s the nature of most empires, of course: They reach a point at which they can no longer manage and finance their own expansion, at which time they must begin to contract. History shows us this tends to be how things work.

Meanwhile, initiatives like this one should help make most of us feel a little more secure that some technology companies care enough to invest in helping us keep our data safe.

We should probably ignore the ones that don’t care about this.

Please follow me on Twitter, and join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.

http://www.computerworld.com/category/security/index.rss