Researchers tested BadPower attacks on 35 fast charging models out of 234 available in the market and it turns out 18 models from 8 vendors showcased vulnerability to the attack.
Recently, Chinese researchers at Tencent Security Xuanwu Lab discovered a firmware vulnerability found in fast chargers that can be exploited both physically and digitally. The technique known as BadPower can cause damage to charge mechanics, melt components, and also set your device on fire causing it to become a safety hazard.
In the last few years, fast chargers have taken over the industry ensuing their convenience and expediency in comparison to USB chargers. The latter, however, takes hours to fully charge a device. But the current technology can provide up to 12 or maximum 20 volts or in some cases, even more depending on the limiting charging time to minutes.
How does BadPower corrupt fast chargers?
The researchers explain a ‘fast charging operation.’ in a blog post in the Chinese language. In this case, a power supply terminal (fast charger) connects to the power receiving terminal (device) via cable. When they are connected the supply terminal basically ‘negotiates’ a charging speed with the receiving terminal based on the device’s capabilities. The negotiation is carried out by a special firmware that also handles and stores a set of programs to control the whole charging process.
The bottom line is, that the whole protocol not only includes power but also data transmission. Intruders can use this to their benefit by altering certain parameters in the process that will lead the power supply terminal to deliver more voltage than the device can actually handle. As the device heats up with the power surge it either melts, bends or bursts into flames.
BadPower intrusion can happen through hardware wherein, the assailant uses a special device or attacking rig to the charging port that can invade the firmware within seconds. Once the user attaches the device to the compromised charger the data transmission process will perform a power overload.
On the other hand, BadPower can also attack through malicious code that can cunningly modify fast charger’s firmware without alerting the user.
The Xuanwu Lab carried out further investigations where they tested BadPower attacks on 35 fast charging models out of 234 available in the market. Out of this, 18 models from 8 vendors showcased vulnerability to the attack. Moreover, 11 of those can be exploited through digital means.
Fortunately, the research mentions:
‘Most BadPower problems can be fixed by updating the device firmware.’
Also, the attack doesn’t lead to security or privacy breaches but it can definitely wreak havoc in a physical space.
The researchers have notified all affected vendors per se and have advised them to perform strict legal verification, updates, and checks.
Watch the demo:
Not for the first time
Previously, similar intrusion like BadPower was discovered by Kaspersky Labs called the Loapi malware. The malware was an evil code that could perform five different malicious activity one of which caused the Android phone’s battery to bulge and physically destroying the device.