[Cryptography] USB 3.0 authentication

[Henry Baker]

At 03:06 AM 4/14/2016, Jerry Leichter wrote:
>There have been recent press reports about a new spec release by the USB 3.0 standards group for a mechanism to certify USB 3.0 devices and cables have them cryptographically authenticate.
>
>The use case that drives much of the coverage is the story from a couple of month back in which a cheap mis-wired USB 3.0 cable fried someone's Chromebook.
>
>Sounds reasonable.
>
>But then you get to the use of "128-bit security for all cryptography", which is already sounding like a bit of overkill - and a press release (quoted 3rd hand so I have no real idea where it comes from) that:
>
>"For a traveler concerned about charging their phone at a public terminal, their phone can implement a policy only allowing charge from certified USB chargers.

Lemme see.  Even if my "free" charger can't hack your device through the normal signal pins, I may still be able to read some of your secrets using the details of the power consumption signal.  And then, there's bound to be some small amount of crosstalk of the power signal with other signals of your device.

And then there's other signals -- e.g., I simply include a microphone so that I can not only hear your conversation, but I can eavesdrop on your device's power supply audio emanations.

Even w/o a camera, I can sense high frequency light signals.

Also, if you're close enough to plug in, I can easily pick up your Bluetooth -- including BTLE, your ANT+ signals, your wifi signals, etc.

If a company can build a PEN tester into a power strip several years ago (Google it!), then why would anyone *ever* trust an airport charging station again?