BadPower Attack Corrupts Fast Chargers To Melt or Set Your Device on Fire (zdnet.com) 121
Chinese security researchers said they can alter the firmware of fast chargers to cause damage to connected (charging) systems, such as melt the components, or even set devices on fire. A reader shares a report: The technique, named BadPower, was detailed last week in a report published by Xuanwu Lab, a research unit of Chinese tech giant Tencent. According to researchers, BadPower works by corrupting the firmware of fast chargers -- a new type of charger that was developed in the past few years to speed up charging times. A fast charger looks like any typical charger but works using special firmware. This firmware "talks" to a connected device and negotiates a charging speed, based on the device's capabilities. If a fast-charging feature is not supported, the fast charger delivers the standard 5V, but if the device can handle bigger inputs, the fast charger can deliver up to 12V, 20V, or even more, for faster charging speeds. The BadPower technique works by altering the default charging parameters to deliver more voltage than the receiving device can handle, which degrades and damages the receiver's components, as they heat up, bend, melt, or even burn.
Meh (Score:4, Funny)
With physical access they can replace the firmware, what a shocking discovery.
With physical access you can connect the mains to the USB socket too.
Re: (Score:3)
Relying on consumer-grade software to not burn down your house is just plain idiotic, hack or no hack.
If there are devices on the market that are able to supply a given voltage over a standard connector, then *all* other devices using that connector need hardware overvoltage protection up to that level, no exceptions.
Re:Meh (Score:4, Insightful)
need hardware overvoltage protection up to that level, no exceptions.
Actually... I would say overcurrent protection should be mandatory. Devices should be required to deal with completely unexpected voltages being connected to external ports at least without causing a safety hazard, and preferably without damage to the device... up to 500 volts at least – voltages on external wiring that is not both well-shielded and grounded can be caused by many environmental factors such as induced currents as a result of local ground potential variations / discharges of static electricity, other devices, nearby lightning, etc; for example the specification for hardware ethernet requires isolation up to 1000 Volts....
USB ought to get similar requirements: The last thing a consumer should want is their $1000 cell phone being easily destroyed by unexpected voltages being temporarily incurred on a charging cable, some static electricity b/c someone walked over carpet before touching the USB port, etc.
Re: (Score:2)
Actually... I would say overcurrent protection should be mandatory.
Ohms law says it's the same thing.
Re: (Score:2)
Luckily for us we're talking about "protection" circuits.
Re: (Score:2)
You and parent are saying the same thing.
I=E/R, E=IR
With the resistance of the device being constant, neither E nor I can change without a change in the other.
Re: (Score:2)
I=E/R, E=IR
With the resistance of the device being constant, ....
This equation is not true of charging circuits because the relative voltage differences are important, and in a battery these parameters vary with the charge state and environment according to functions.. its meaningless to say "Resistance being constant," because resistance is Not a constant and depends on the battery's State of Charge. In a charging circuit the line voltage difference between the + and - inputs does not equate to the
Re: (Score:2)
Having had 100A fuses blown when a power surge at work turned a 400V AC supply line into a kV supply line, I'm all for both. It rather protects equipment from the unreliable outside world, and protects the people within and using such equipment. This being work, I have a legal obligation (backed by criminal law penalties) to consider such possibilities and take reasonable mitigating action. The possibility of having to defend my choices in a court of law really simp
Re: (Score:2)
Re: (Score:2)
Yep, people do it with things called "power banks"...
Re: (Score:2)
Are there power banks which are internet accessible? Why? To what possible purpose (for the end user)?
There is a minor detail that my phone and power banks don't fit in either my pant's or coat's pocket - the cables make a fankle - so when the phone is on charge, it is normally in the top pocket of my rucksack with the power bank(s) in another upper pocket (sometimes in my ha
Re: (Score:2)
I'd think you'd notice your leg getting hot well before it bursts into flames though.
Depending on how much power the source and the conductor are capable of delivering and dissipating - and if there are fuses and protections on the source of power; In a short circuit, for example, it might get more than hot enough to cause serious damage to the person in less than enough time than a human could reasonably react.
It may be that a simple undersized USB cable of 28 AWG copper has a prospective short-circu
Re: (Score:2)
but 100 pounds of canine fury usually prevents that at this house.
Usually? ;-)
Re: (Score:2)
For that sort of protection, you need quite a spark gap, which won't fit in the modern mobile devices. H
Its approximately 2.5 millimeters to isolate 300V with appropriate insulation, and with a little more 500. There should be PLENTY of space, and if not, then fix the devices so it fits.
Re: Meh (Score:2)
2.5mm? That would make the device too thick, and take up more space!
Instead, Apple has removed overvolt protection for a better consumer experience. For those still wanting overvoltage protection, you can simply also carry around the pass through arc gap dongle included in the box! Additional dongles available for $29.99 each.
Re: (Score:2)
I believe the newer iPhones are ditching the power port completely? I think they are going completely wireless charging? In a weird accidental way I guess this would eliminate that vulnerability?
Either way I think this story is one of those "If someone has physical access to something" security things.
If someone has physical access to almost anything, bad stuff can happen.
Re:Meh (Score:4, Interesting)
It's not quite that simple. From the article:
Furthermore, on some fast charger models, the attacker doesn't need special equipment, and researchers say the attack code can also be loaded on regular smartphones and laptops.
When the user connects their infected smartphone or laptop to the fast charger, the malicious code modifies the charger's firmware, and going forward the fast charger will execute a power overload for any subsequently connected devices.
So in some cases, the device being charged can modify the charger's firmware. That means that this is potentially a remote, software-only attack that can destroy hardware.
Granted, this sort of thing obviously isn't lucrative for criminals, so it seems unlikely to be developed further, and therefore probably will remain a mostly theoretical threat. But it's not just a "physical access" threat either.
Re: (Score:2)
Re: (Score:3)
Actually that is kinda cool. It's been a long time since we saw a real halt-and-catch-fire.
Re: (Score:2)
Granted, this sort of thing obviously isn't lucrative for criminals
Some people just want to see the world burn.
Re: (Score:3)
> anyway. Better for the battery to slow charge over night, and then only to 90%, or so it is said.
Cheating to a little less than full can sometimes help, but maybe not ...
According to batteryuniversity.com (a great site), as lithium batteries age capacity is reduced. They are aged quicker by being deeply discharged. If, by charging it less at the beginning of the day, it ends up at 10%-20% by the end of the day, that will do more damage to the battery than charging to 100% and having it drain to 20%-3
You can do that with a rooted Android (Score:2)
Oh with the car analogy I was definitely exaggerating and kinda being silly. Making the point in a funny way.
> The real problem is most devices don't offer a partial charge option for those that would benefit from the increased lifespan.
If your phone is rooted you can do that.
Here is one app - I don't know if it's the best app.
https://android.gadgethacks.co... [gadgethacks.com]
> Possibly there's a good justification for not having a device control its charging rate
If what you mean here is actually the charge RATE rath
Re: (Score:2)
The real problem is most devices don't offer a partial charge option for those that would benefit from the increased lifespan. I think I've seen maybe one brand of computer promote that as a feature for those that leave a laptop plugged in at a desk all day.
My lady's Fujitsu convertible has that feature. It's a T900 of some sort IIRC.
Re: (Score:2)
Indeed. A web search quickly turns up these devices as well:
https://usbkill.com/ [usbkill.com]
I was thinking they had to exist because I remember when slashdot featured the EtherKiller:
https://tech.slashdot.org/stor... [slashdot.org]
Re: (Score:2)
With physical access you can connect the mains to the USB socket too.
Indeed, two weeks ago I switched my house to combined mains+usbc outlets! https://www.amazon.com/gp/prod... [amazon.com]
Re: (Score:2)
Those things scare me because the USB C plug looks small enough to shove into the mains socket and US ones don't have shutters like we do in the UK.
Re: (Score:2)
Did you even look at the link? It clearly does have some sort of shutter, and says "tamper-resistant outlets prevent unwanted objects from being inserted into the outlets".
it's an opportunity for learning (Score:2)
"tamper-resistant outlets prevent unwanted objects from being inserted into the outlets"
.BAH. Do you want your kids to grow up to be soft?
Re: (Score:3)
Re: (Score:2)
So it does...I admit I only looked at the photo which looks open.
USB-C @ high wattage is already a disaster waiting (Score:2)
I'm more worried about the USB-C connectors gathering dust, corrosion, etc, and the socket trying to deliver tens of watts, or a hundred to a device that tells it to do so, creating a resistance point that can overheat and catch fire.
I brought this up before, and I'll say it again: Who thought it was a good idea to send upwards of 100W through the tiny pins of a USB-C connector? Much thicker wires and plugs are used for these kinds of loads for a reason. And micro-USB/USB-C absolutely SUCKS when it comes to
Less current than 2.1 amp micro USB (Score:2)
> Who thought it was a good idea to send upwards of 100W through the tiny pins of a USB-C connector?
Electrical engineers, that's who.
A USB-C pin actually carries LESS current than the older USB ports did with a 2.1 amp charger.
USB 1.0 - 3.0 had one pair of power pins, always at 5V, carrying as much as 5 amps on one pair of pins (battery charging v1.2 spec).
USB-C has four sets of power pins, which each carry no more than 1.5 amp. So much LESS than the old cables.
It is the amperage, or current, that deter
Re: (Score:2)
Btw of 20V just feels like a lot in a small connector, the old-fashioned phone jacks in your house provide 48V DC. The ring tone is 90V AC on top of that. Meaning 138V peak.
Re: (Score:2)
Those things scare me because the USB C plug looks small enough to shove into the mains socket and US ones don't have shutters like we do in the UK.
The new ones mostly do. It's gotten pretty hard to find unshuttered outlets.
Re: (Score:2)
So how do you insert the plug? I mean what moves the shutters?
Re: (Score:2)
The shutters are internal. The prong on the left side opens the right side shutter and vice-versa. You insert the plug as normal, both prongs must be inserted for the shutters to open.
Re: (Score:2)
The wider prong is the neutral wire anyhow. It's not the same as the ground wire, but it's the center tap of the 230V incoming feed, and it's at ground potential, more or less. No way would USB C or micro-B fit in the hot prong, it's way too small, but even the neutral is also too small.
My problem is that they cost $25 each, as opposed to like $2 for a regular outlet. That's really expensive to do a whole house with them. I only use them when making super extension cords where a bad outlet end is replaced
Re: (Score:2)
Re: (Score:3)
The problem is crappy devices where you can replace the firmware just by plugging in to the charging cable. For example, bad guy plugs in to a courtesy charger offered at the airport for a few minutes. Next user gets a nasty surprise.
Re: (Score:2)
They destroy some random person's phone and all they had to do was go to one of the most highly surveiled, cop laden places to do it.
Re: (Score:2)
Just put a random factor in it, suddenly no evidence of who did it or when. Surveillance just shows a series of people charging their phones. Meanwhile, what are the odds the cops even know what firmware is?
It sounds irrational, but the world has an unfortunate number of trolls in it. Other targets include coffee shops and tourist centers. People have been dumping viruses and trojans on the internet long before anyone figured out how to turn it into a highly illegal extortion plot.
Re: (Score:2)
Plus, guess where that guy takes that soon-to-explode cellphone...
Re: (Score:2)
If they can replace the firmware, and the device stays on for long periods (which it will, since the airport has very reliable power) they can zap the 666th person who uses it after they do, or the next person who connects after a power outage. Either way, any suspicion will be drawn away from them...
Re: (Score:2)
I think this XKCD applies: https://m.xkcd.com/1958/ [xkcd.com]
Re: (Score:2)
Really, it shouldn't need an upgrade. It's quite possible that it was just a default for whatever devkit they used and nobody bothered to disable it for production.
Re: (Score:2)
http://www.fiftythree.org/ethe... [fiftythree.org]
Re: (Score:3)
Re: (Score:3)
Re: (Score:2)
Hey that Mark I was a looker too, you can't beat rotating shafts and clutches.
No fuse? (Score:2)
No fuse?
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
-Accounting dept.
Re: (Score:2)
Nice Too Know (sic) (Score:1)
Regardless, this is a reason to stick with Name Brand charger and to avoid the knock-offs, counterfeits, and unknown brands.
Maybe this is just an attack on the world's economy. If you can't trust your charger, who can you trust?
Re: (Score:3)
Oh please. 35 different models from 8 different vendors and half were found faulty. You can basically assume that every Chinese charger is one identical knock-off and the other 17 are likely brand name chargers. The reality is that specs are poorly implemented even from brand name vendors.
Now what is truly amazing here is that Chinese chargers often provide the ability to burst into flames without some firmware attack. So just buy Chinese and skip the middleman :-)
Re: (Score:2)
They may even have the specs properly implemented, all it takes for this to work is a firmware update via USB.
Re: (Score:2)
Regardless, this is a reason to stick with Name Brand charger and to avoid the knock-offs, counterfeits, and unknown brands.
Not necessarily... Its a reason to investigate your charger and perhaps a reason to favor more and stronger standardization and compliance testing of charging protocols and products, so you can actually make an informed decision and not have to do it again for every single chargeable device you own.
The so-called "Name Brand" charger is not necessarily always superior. "Cheap" knock-
Re: (Score:2)
Welcome to the 21st century where the name brand *IS* the cheap knock-off with a more expensive name badge stuck on it.
A simple fix for this (Score:1)
Re: (Score:2)
I hear if you reprogram an X-ray device you can kill someone, too.
Re: (Score:2)
Re: (Score:2)
How likely is it that they allow you to plug in some random device into their x-ray machine?
Re: (Score:2)
That's not how this works. Non-volatile memory just means that the fatal bug won't be fixable.
Re: (Score:2)
Then throw the fucking thing away and get a new one. It sure beats dealing with a burning iPhone and then buying a new one.
Re: (Score:2)
Then throw the fucking thing away and get a new one.
I don't think you understand where the problem sits. The issue is exploitable as common bugs during negotiation. Non volatile memory means a proposed firmware update couldn't fix the problem (specifically called out in TFA), and simply going and buying another one gives you precisely zero assurance that the new one doesn't melt device either.
Re: (Score:2)
If the charger cannot receive a firmware update, you cannot flash malicious firmware onto it. Yes, that means you have to throw it away should you notice that the firmware is faulty, but then again, how many people do you think would even be able to do a firmware update on their charger, or even know that something like that is a thing?
Oddly sounds like modern USB. (Score:2)
If you're gonna brand a bug, do it right (Score:3)
BadPower is the best they could come up wih? Not FirePower or EvilPower MagicSmokePower?
Re: (Score:2)
"Dammit Jim, I'm a hacker, not a Gen-Z marketer!"
Re: (Score:2)
How good are you at coming up with cool sounding Chinese names for bugs?
Re: (Score:2)
How racist do you want it?
RucasMagisSmoke!
Re: (Score:2)
They should have named it FireWire. Truth in advertising FTW!
Only applicable if your charger is "smart" (Score:2)
Re: (Score:2)
You're not looking at the correct schematic diagram, obviously.
Re: (Score:2)
Hey, considering what we currently call "AI", this sure qualifies as "smart", at least!
Risks of outsourcing critical infrastructure (Score:3)
No physical access required. (Score:3)
A BadPower attack is silent, as there are no prompts or interactions the attacker needs to go through, but also fast, as the threat actor only needs to connect their attack rig to the fast charger, wait a few seconds, and leave, having modified the firmware.
Here's the thing, if they have already have access to your device then they can reprogram a vulnerable charger. It could be a new form of ransomware: pay me $20 or I'll melt your phone when you charge it.
Alternatively, if you are a state actor and wanted to burn down someone's house then this is the ticket.
Re: (Score:2)
Doesn't really work for ransomware, if you warn someone they can just avoid charging the device.
Re: (Score:2)
Plus, you can't really follow through with the promise of not frying their phone, because the next time he plugs it in, it will be fried before the phone could send the defusal firmware.
Re: (Score:2)
Yes... but that means they also can't use it anymore, hence the ransom.... or do you have nuclear batteries in your devices?
Re: (Score:2)
We had this discussion back in 2015 (Score:2)
old problem (Score:3)
I worked on a PoE switch/voip router and we had a bug in our early engineering units. If you plug one PoE source into another, for example to bridge two routers together. Then the units would run away trying to drive the other and go up in smoke.
Q.A. discovered this and decided to reproduce (wtf). We put a halt on testing after four units were ruined. We didn't have a lot of extras and they were partially hand assembled preproduction units of enterprise hardware. Not cheap to waste. Once the problem was resolved, testing was resumed.
Wait... (Score:2)
...I thought cheap Chinese chargers did this anyway!
So is updating firmware the problem or solution? (Score:5, Insightful)
Re: (Score:2)
Yeah, the article does not make much sense. My guess is that some chargers do not check the 'charging parameters' requested by the device for sensible limits. If the firmware in the device (not charger) is altered so it asks for more power than the device can safely handle, bad things happen. Some chargers may check the limits, so they may not be vulnerable (although it would seem you could still program a 'low charging power' device to request more power than it could handle,even if that power is within
Re: (Score:2)
Maybe the problem is that you can't update the firmware in such a way that it could not be overwritten anymore with malicious firmware.
Re: (Score:2)
Controller software is in the microcontroller flash, but the configuration settings are in external flash? That would mean you could exploit and clean a device, but can't patch out the vulnerability.
Things get a bit weird once you step into the sub ten-cent microcontroller market. I've heard of some that are as little as three cents.
Samsung claims (Score:2)
... prior art.
Good News / Bad News (Score:2)
Re: (Score:2)
I don't think the 'attack' involves changing the firmware in the charger. I think (it is very hard to tell from TFA) that the attack causes the phone (or whatever) to request more power than it can handle. I don't know what the supposed 'fix' to the charger is - maybe put limits on power delivered regardless of what is requested?
Re: (Score:2)
Maybe it will make EEs more careful (Score:2)
WW3 gonna be even weirder than Covid (Score:2)
If WW3 ever starts, countries will unleash a barrage of unpublished hacks to F up a lot of devices and infrastructure, perhaps even setting cities on fire and poisoning the air and water by over-releasing standard solvents and cleaners.
Re: (Score:2)
Why do you think that's not already the case?
Re: (Score:2)
You have it backwards. The DEVICE, not charger, should be what must be protected. UL does not say there will never be a voltage spike delivered to your device, it says that if there is a voltage spike the device will not burn your house down.
Putting the protection in the device producing the power doesn't make sense, because a single failure (and there is always the possibility of failure, whether a design defect, manufacturing defect, misuse, damage, etc) can lead to disaster. Putting the protection in
Re: (Score:2)
Because it doesn't make sense. The charger doesn't 'know' what it is charging, it just knows it was asked for a certain amount of power. If it can deliver that power without damaging itself it has met the requirements. Suppose you have some appliance that is plugged into a normal household outlet, capable of delivering 15 amps. Inside the applicance, the wiring is such that it can only handle 5 amps without overheating and catching fire. Something fails in the appliance, and suddenly it is drawing 10 a
Re: (Score:2)
Using your 'extension cord' example. UL will test things like it can handle its rated current without overheating, the insulation won't become brittle and fall off, the ends are not easily pulled off leaving exposed wires, etc. I have a bunch of UL-rated exension cords, not one of them has a hardened steel casing to prevent someone from 'maliciously tampering' with it and shaving insulation off leaving exposed wires, etc. Criminal activity is not in the scope of UL testing.