Nowadays, almost every smartphone is bundled with fast chargers, and they are increasingly popular in markets.
And now Chinese researchers at the Xuanwu Lab, owned by Tencent, have discovered a vulnerability in fast chargers that allow altering their operation to damage the connected devices.
The vulnerability dubbed as BadPower can modify the firmware of some fast chargers and make the phone go up in flames they are connected.
Most of the fast chargers can push 20 volts, but some devices can only safely accept 5V. And BadPower corrupts a fast charger and effectively stops its chip’s firmware and the charging device from agreeing on a set voltage. By overloading a device with more voltage than it can handle, researchers found that they could cause some devices to burst into flames.
Researchers have been able to found this vulnerability on 18 models out of the 35 models they tested from 8 different manufacturers.
This is an especially troubling problem because now fast chargers have managed to make significant leaps — recently, BBK Electronics has launched a new 120W Super FlashCharge technology that can charge a 4,000 mAh battery from 0 to 100 percent in just 15 minutes for their Oppo, Vivo and IQOO smartphones.
How BadPower destroys your phone?
Usually, when we connect our mobile to a fast charger, the firmware and the mobile operating system decide which is the best recharging power, depending on the compatibility of the mobile. If it is a cheap mobile phone without fast charging technology, then it will only allow 5V, but the most advanced ones can support more than 20 V.
To demonstrate BadPower attack, researchers used a “special device disguised as a mobile phone” to corrupt a fast charger’s firmware and have focused its attack on getting rid of the above-mentioned safeguards — changing the firmware of the fast chargers to change the voltage to one that is not supported by the device.
The result was brutal — the malicious charging device start heating the battery of the phone by a power overload attack and resulting in irreversible physical damage.
According to researchers, the BadPower attack does not cause data privacy leaks, but it can destroy the physical world through digital space or could also affect the security of the physical environment around the device.
How to stay safe from BadPower attack?
To modify the fast charging firmware, the attacker only needs momentary access to the charger. For example, if we leave it connected for a moment, the hacker can easily modify the firmware of the charger by connecting a computer to the charger and running a program. Also, the attacker uses the user’s mobile phone, notebook computer and other terminal devices in some way, and implants malicious programs with BadPower attack capabilities in them, making the terminal device an attack agent of BadPower.
So as a user to mitigate the threat of BadPower don’t easily give your own chargers, power banks, etc. to others, mainly to strangers. At the same time, it is recommended fast charges to charge the devices that do not support fast charging.
For manufactures, researchers suggest adding additional fuses to devices that support lower voltage fast charging.