1. 50

According to the Wikipedia article https://en.wikipedia.org/wiki/USB_C#Cables

USB-C 3.1 cables are considered full-featured USB-C cables. They are electronically marked cables that contain a chip with an ID function based on the configuration channel and vendor-defined messages (VDM) from the USB Power Delivery 2.0 specification. Cable length should be ≤ 2 m for Gen 1 or ≤ 1 m for Gen2. Electronic ID chip provides information about product/vendor, cable connectors, USB signalling protocol (2.0, Gen1, Gen 2), passive/active construction, use of VCONN power, supported VBUS current, latency, RX/TX directionality, SOP controller mode, and hardware/firmware version.

Is anyone here aware of USB-C cable teardowns, or analysis of the chips inside? I’m concerned about the security implications of an infected USB cable.

  1.  

  2. 18

    Benson Leung at Google tests 3rd-party cables for spec-compliance and posts the results as amazon reviews

    Nathan K also has a series of tests

    Not aware of anyone analyzing the firmware specifically however. I’d imagine that the limited on-board storage would make infection difficult but not impossible.

    1. 7

      Benson was a college buddy of mine back in engineering school. So funny to see he get quasi-famous over this, but knowing Ben, it’s pretty fitting.

    2. 9

      One such USB-C chip seems to be the TPS65986 by Texas Instruments. It doesn’t appear that the firmware is read-only:

      GPIO event: USBEP_ENABLE_EVENT

      When signal is asserted high, the Host Interface will be exposed through the USB2.0 Low Speed Endpoint. The TPS65982 Endpoint (EP) driver can be used to debug or to perform a FW update from a USB Host connected to the port with a Type-C cable.

      TPS65981, TPS65982, and TPS65986 Firmware User’s Guide [pdf]

      1. 1

        I think that chip implements a USB port, not a USB cable.

        1. 3

          I’ve found another product which is more clearly supposed to go inside the cable: Cypress EZ-PD CCG2.

          Bring Type-C cables and adapters to market faster with CCG2, an ARM Cortex-M0 cable controller with low footprint

          CCG2 has an ARM® Cortex®-M0 with 32KB flash to enable firmware upgrades anytime, anywhere—during product development, on the production line or in the field.

          32kb of storage is pretty roomy for a cable. The CCG3 model has even more space - dual 64kb.

          CCG3 is Cypress’s newest USB Type-C port controller with Power Delivery. CCG3 provides a complete solution ideal for Power Adapters, Power Banks, Type-C Dongles, Thunderbolt Accessories, Monitors, Docks and Notebooks.

          CCG3 is capable of supporting Upstream Facing Port (UFP), Downstream Facing Port (DFP), and Dual Role Port (DRP) and will fully support the latest Power Delivery 3.0 specification. CCG3 is a programmable solution, and its dual 64KB flash memory can be used for fail-safe firmware upgrades at any time.

          1. 2

            I think it does both. Reading this document, I see a list of suggested applications:

            • Notebook Computers, Tablets, and Ultrabooks
            • Docking Systems
            • DisplayPort and HDMI Dongles and Cables
            • Charger Adapters
            • USB PD Hosts, Devices, and Dual-Role Ports
            • USB PD-Enabled Bus-Powered Devices
            • Infotainment Consoles
        2. 8

          Oh gawd… this makes me sad.

          It was a Very Sad day for me when I found out that “off” switches were no longer off switches.

          Now finding firmware in cables…..? Oh dear, oh dear, oh dear.

          1. 8

            It is to be expected. Newer things have more features and how they do that is by having more complex stuff (i.e. a microchip) inside them.

            This pattern is not gonna change.

            Like how cars have a computer controlled engine to be more efficient but at the same time making it impossible for at home mechanic to work on it anymore. So on and so forth.

            When somebody sees a smart item with features I just think “oh wow the future is awesome”. Nobody is ever presented with the pros/cons table listing the fact that this makes them more liable to malware or making our society as a whole even more specialised and thus reducing personal independent and the ability to rely on oneself.

            I also think the DIY movement is a counter-culture to this. People get sick that their perfectly fine washing machine stops working and the manufacturer is demanding the cost of a new machine to replace the broken pcb that costed them a dollar to make.

          2. 7

            I am curious how many past instances of active cabling might have commonly had update-able firmware, intentionally or unintentionally, on EEPROM or otherwise?

            From my recollection, all Thunderbolt cables are active going back to Thunderbolt 1 in 2011. Serial Attached SCSI and DisplayPort require some logic in the cable itself, never mind the Anything-to-HDMI adapters you have no doubt used over the years. Ever plugged into a conference room projector by using the dongle they had lying around? My memory is hazier here, but I want to say some version of FireWire had active cabling, but equal chance I am wrong on that.

            I am certainly not happy to see this, but if your personal threat model includes “compromised cabling” you should definitely look into solutions like SyncStop. Don’t use public USB charging outlets (in airports, on busses, etc.) without one.

            1. 3

              USB-C isn’t the first active cabling, but it’s becoming ubiquitous. I don’t own any Thunderbolt peripherals and therefore don’t need to use the cables, but an increasing number of devices are charged over USB-C, making it unavoidable.

              It’s not that I think a cable-based attack is likely, but that I can no longer rule it out as an impossibility.

              SyncStop is a good recommendation, thanks.

            2. 4

              I’m bemused – post Snowden – by the commenters that think this is benign or unlikely to be exploited. I’m pretty sure everything theoretically capable of being exploited has a post-it for each manufacturer slowly moving across a Kanban board somewhere inside the NSA.

              1. 4

                Well. cables known vulnerable could easily be replaced at least :)

                1. 3

                  Although it’s a bit more than just an USB-C cable, I was surprised when my Apple USB-C VGA and Apple USB-C HDMI connectors received a firmware update a year ago or so.

                  Hopefully, these connectors at least require signed firmware by default. A malware that infects your cables would just be too dystopian ;).

                  Edit: firmware update description: https://support.apple.com/en-us/HT205858