Security researchers from the Chinese company Tencent () a new class of attacks BadPower aimed at defeating chargers for smartphones and laptops that support . The attack allows the charger to initiate the transfer of excessive power that the equipment was not designed for, which can lead to failure, melting parts, or even burning the device.
The attack is carried out from the victim's smartphone, the control of which is captured by the attacker, for example, through the exploitation of a vulnerability or the introduction of malware (the device simultaneously acts as a source and object of attack). The method can be used to physically damage an already compromised device and carry out sabotage that can start a fire. The attack is applicable to chargers that support firmware updates and do not use digital signature verification of the downloaded code. Chargers that do not support flashing are not affected by the attack. The degree of possible damage depends on the model of the charger, the output power and the presence of overload protection mechanisms for the devices being charged.
The USB fast charging protocol implies the presence of a process for negotiating charging parameters with the device being charged. The charging device transmits to the charger information about the supported modes and the allowable voltage (for example, instead of 5 volts, it is reported that it is possible to accept 9, 12 or 20 volts). The charger can control the parameters during charging, change the charge rate and adjust the voltage depending on the temperature.
If the charger recognizes deliberately overestimated parameters or changes are made to the charging progress control code, the charger may give charge parameters for which the device is not designed. The method of carrying out the BadPower attack is associated with corrupting the firmware or loading a modified firmware onto the charger that sets the maximum possible voltage. The power of chargers is growing rapidly and, for example, Xiaomi next month to release devices that support 100W and 125W fast charging technologies.
Of the 35 fast charging adapters and external batteries (Power Bank) tested by the researchers, selected from 234 models available on the market, the attack was applicable to 18 devices manufactured by 8 manufacturers. The attack on 11 out of 18 problematic devices was possible in a fully automatic mode. Changing the firmware on 7 devices required physical manipulation of the charger. The researchers concluded that the degree of security does not depend on the fast charging protocol used, but is associated solely with the ability to update the firmware via USB and with the use of cryptographic mechanisms for verifying operations with the firmware.
Flashing of some chargers is performed via a standard USB port and allows you to modify the firmware from an attacked smartphone or laptop without the use of special equipment and is hidden from the owner of the device. According to researchers, about 60% of the chips offered on the market for fast charging chips allow final products to organize firmware updates via a USB port.
Most of the problems associated with the BadPower attack technology can be fixed at the firmware level. To block the attack, manufacturers of problematic chargers were asked to strengthen protection against unauthorized firmware modification, and consumer device manufacturers to add additional overload control mechanisms. Users are not recommended to use Type-C adapters to connect fast charging devices to smartphones that do not support this mode, since such models are less protected from possible overloads.
Source: opennet.ru