"BadPower" Attack Leverages High-Speed USB Charging to Damage Devices, Start Fires
By rewriting improperly-protected firmware from the USB port, it's possible to send 20V to devices only capable of receiving 5V.
The Tencent Security Xuanwu Lab research center has published details of a vulnerability in manufacturers' fast-charging devices for laptops, smartphones, and tablets, dubbed BadPower β and which has been proven to do physical damage to connected devices, through to the point of fire.
"Tencent Security Xuanwu Lab discovered a new type of safety problem in some fast charging products and named it 'BadPower'," the company explains in a translated version of a Chinese publication brought to our attention by security researcher Bruce Schneier. "Using BadPower, an attacker can hack into devices such as chargers that support fast charging technology, causing the target device to output an excessively high voltage when powering external devices β resulting in breakdown and burning of the components of the powered device, and even further damage to the powered device. The physical environment where the equipment is located creates a safety hazard."
The attack centers around firmware-driven "fast charging" features which upgrade the classic 5V at 2A supply of USB ports to allow for up to 20V and 5A β an impressive total of 100W of power, meaning higher-power devices like large-format displays and laptops can be powered or charged via USB, and that lower-power devices like smartphones and tablets can be charged more rapidly.
"The fast charge protocol not only includes power transmission function, but also data transmission. Some manufacturers have designed an interface that can read and write built-in firmware in the data channel, but they have not performed effective security verification of the read and write behavior, or the verification process has problems, or the fast charging protocol implementation has some memory corruption problems," the team explains of the flaw. "Attackers can use these problems to rewrite the firmware of the fast charging device to control the power supply behavior of the device.
"Under normal circumstances, for power receiving devices that do not support fast charging, the fast charging device will provide a 5V power supply voltage by default. But by rewriting the code that controls the power supply behavior in the fast charging device, the fast charging device can input a maximum voltage of 20V to these power receiving devices that can only accept 5V voltage, resulting in power overload."
The company tested a range of chargers and found that 18 of the 35 devices tested were capable of being reprogrammed to output 20V to 5V-only devices β not only permanently damaging the target device but in one case actually starting a small fire.
Xuanwu Lab's researchers have two suggestions for resolving the issue: For manufacturers to perform better verification on USB-driven firmware update functionality, or to remove the ability altogether; and to have the devices' firmware checked for common software vulnerabilities. Additionally, they recommend adding new requirements for safety verification as part of the firmware update process, adding in protective fuses to devices' designs, and tell those concerned about being targeted by the attack to keep their devices away from untrusted individuals and to avoid using fast chargers with standard USB devices.
The full paper is available on the Tencent website, via Google Translate; a demonstration video is also available on qq.com.