BadPower Attack Corrupts Fast Chargers To Melt or Set Your Device on Fire

Chinese security researchers said they can alter the firmware of fast chargers to cause damage to connected (charging) systems, such as melt the components, or even set devices on fire. A reader shares a report: The technique, named BadPower, was detailed last week in a report published by Xuanwu Lab, a research unit of Chinese tech giant Tencent. According to researchers, BadPower works by corrupting the firmware of fast chargers -- a new type of charger that was developed in the past few years to speed up charging times. A fast charger looks like any typical charger but works using special firmware. This firmware "talks" to a connected device and negotiates a charging speed, based on the device's capabilities. If a fast-charging feature is not supported, the fast charger delivers the standard 5V, but if the device can handle bigger inputs, the fast charger can deliver up to 12V, 20V, or even more, for faster charging speeds. The BadPower technique works by altering the default charging parameters to deliver more voltage than the receiving device can handle, which degrades and damages the receiver's components, as they heat up, bend, melt, or even burn.

Meh

[AmiMoJo]

With physical access they can replace the firmware, what a shocking discovery.

With physical access you can connect the mains to the USB socket too.

Re:

[Waffle Iron]

Relying on consumer-grade software to not burn down your house is just plain idiotic, hack or no hack.

If there are devices on the market that are able to supply a given voltage over a standard connector, then *all* other devices using that connector need hardware overvoltage protection up to that level, no exceptions.

Re:Meh

[mysidia]

need hardware overvoltage protection up to that level, no exceptions.

Actually... I would say overcurrent protection should be mandatory. Devices should be required to deal with completely unexpected voltages being connected to external ports at least without causing a safety hazard, and preferably without damage to the device... up to 500 volts at least – voltages on external wiring that is not both well-shielded and grounded can be caused by many environmental factors such as induced currents as a result of local ground potential variations / discharges of static electricity, other devices, nearby lightning, etc; for example the specification for hardware ethernet requires isolation up to 1000 Volts....

USB ought to get similar requirements: The last thing a consumer should want is their $1000 cell phone being easily destroyed by unexpected voltages being temporarily incurred on a charging cable, some static electricity b/c someone walked over carpet before touching the USB port, etc.

Re:

[Joce640k]

Actually... I would say overcurrent protection should be mandatory.

Ohms law says it's the same thing.

Re:

[Joce640k]

Luckily for us we're talking about "protection" circuits.

Re:

[CaptainDork]

You and parent are saying the same thing.

I=E/R, E=IR

With the resistance of the device being constant, neither E nor I can change without a change in the other.

Re:

[mysidia]

I=E/R, E=IR

With the resistance of the device being constant, ....

This equation is not true of charging circuits because the relative voltage differences are important, and in a battery these parameters vary with the charge state and environment according to functions.. its meaningless to say "Resistance being constant," because resistance is Not a constant and depends on the battery's State of Charge. In a charging circuit the line voltage difference between the + and - inputs does not equate to the

Re:

[RockDoctor]

Overcurrent and overvoltage, to a degree.

Having had 100A fuses blown when a power surge at work turned a 400V AC supply line into a kV supply line, I'm all for both. It rather protects equipment from the unreliable outside world, and protects the people within and using such equipment. This being work, I have a legal obligation (backed by criminal law penalties) to consider such possibilities and take reasonable mitigating action. The possibility of having to defend my choices in a court of law really simp

Re:

[kenai_alpenglow]

You charge your phone while it's in your pocket?

Re:

[Joce640k]

Yep, people do it with things called "power banks"...

Re:

[RockDoctor]

... which have a limited energy storage, and the power bank's firmware is more accessible to the end-user than to Joe Random Hacker.

Are there power banks which are internet accessible? Why? To what possible purpose (for the end user)?

There is a minor detail that my phone and power banks don't fit in either my pant's or coat's pocket - the cables make a fankle - so when the phone is on charge, it is normally in the top pocket of my rucksack with the power bank(s) in another upper pocket (sometimes in my ha

Re:

[mysidia]

I'd think you'd notice your leg getting hot well before it bursts into flames though.

Depending on how much power the source and the conductor are capable of delivering and dissipating - and if there are fuses and protections on the source of power; In a short circuit, for example, it might get more than hot enough to cause serious damage to the person in less than enough time than a human could reasonably react.
It may be that a simple undersized USB cable of 28 AWG copper has a prospective short-circu

Re:

[NoMoreACs]

but 100 pounds of canine fury usually prevents that at this house.

Usually? ;-)

Re:

[mysidia]

For that sort of protection, you need quite a spark gap, which won't fit in the modern mobile devices. H

Its approximately 2.5 millimeters to isolate 300V with appropriate insulation, and with a little more 500. There should be PLENTY of space, and if not, then fix the devices so it fits.

Re: Meh

[samwichse]

2.5mm? That would make the device too thick, and take up more space!

Instead, Apple has removed overvolt protection for a better consumer experience. For those still wanting overvoltage protection, you can simply also carry around the pass through arc gap dongle included in the box! Additional dongles available for $29.99 each.

Re:

[JDeane]

I believe the newer iPhones are ditching the power port completely? I think they are going completely wireless charging? In a weird accidental way I guess this would eliminate that vulnerability?

Either way I think this story is one of those "If someone has physical access to something" security things.

If someone has physical access to almost anything, bad stuff can happen.

Re:Meh

[Dutch Gun]

It's not quite that simple. From the article:

Furthermore, on some fast charger models, the attacker doesn't need special equipment, and researchers say the attack code can also be loaded on regular smartphones and laptops.

When the user connects their infected smartphone or laptop to the fast charger, the malicious code modifies the charger's firmware, and going forward the fast charger will execute a power overload for any subsequently connected devices.

So in some cases, the device being charged can modify the charger's firmware. That means that this is potentially a remote, software-only attack that can destroy hardware.

Granted, this sort of thing obviously isn't lucrative for criminals, so it seems unlikely to be developed further, and therefore probably will remain a mostly theoretical threat. But it's not just a "physical access" threat either.

Re:

[kenai_alpenglow]

Didn't the Israelis awhile back that would explode remotely? Oops if you were the terrorist who owned the device...

Re:

[AmiMoJo]

Actually that is kinda cool. It's been a long time since we saw a real halt-and-catch-fire.

Re:

[Joce640k]

Granted, this sort of thing obviously isn't lucrative for criminals

Some people just want to see the world burn.

Re:

[raymorris]

> anyway. Better for the battery to slow charge over night, and then only to 90%, or so it is said.

Cheating to a little less than full can sometimes help, but maybe not ...

According to batteryuniversity.com (a great site), as lithium batteries age capacity is reduced. They are aged quicker by being deeply discharged. If, by charging it less at the beginning of the day, it ends up at 10%-20% by the end of the day, that will do more damage to the battery than charging to 100% and having it drain to 20%-3

You can do that with a rooted Android

[raymorris]

Oh with the car analogy I was definitely exaggerating and kinda being silly. Making the point in a funny way.

> The real problem is most devices don't offer a partial charge option for those that would benefit from the increased lifespan.

If your phone is rooted you can do that.
Here is one app - I don't know if it's the best app.
https://android.gadgethacks.co... [gadgethacks.com]

> Possibly there's a good justification for not having a device control its charging rate

If what you mean here is actually the charge RATE rath

Re:

[drinkypoo]

The real problem is most devices don't offer a partial charge option for those that would benefit from the increased lifespan. I think I've seen maybe one brand of computer promote that as a feature for those that leave a laptop plugged in at a desk all day.

My lady's Fujitsu convertible has that feature. It's a T900 of some sort IIRC.

Re:

[GlobalEcho]

Indeed. A web search quickly turns up these devices as well:

        https://usbkill.com/ [usbkill.com]

I was thinking they had to exist because I remember when slashdot featured the EtherKiller:

        https://tech.slashdot.org/stor... [slashdot.org]

Re:

[ljw1004]

With physical access you can connect the mains to the USB socket too.

Indeed, two weeks ago I switched my house to combined mains+usbc outlets! https://www.amazon.com/gp/prod... [amazon.com]

Re:

[AmiMoJo]

Those things scare me because the USB C plug looks small enough to shove into the mains socket and US ones don't have shutters like we do in the UK.

Re:

[bws111]

Did you even look at the link? It clearly does have some sort of shutter, and says "tamper-resistant outlets prevent unwanted objects from being inserted into the outlets".

it's an opportunity for learning

[Thud457]

"tamper-resistant outlets prevent unwanted objects from being inserted into the outlets"

.BAH. Do you want your kids to grow up to be soft?

Re:

[kenai_alpenglow]

I believe it's code now to have the shutters.

Re:

[AmiMoJo]

So it does...I admit I only looked at the photo which looks open.

USB-C @ high wattage is already a disaster waiting

[Malays2 bowman]

I'm more worried about the USB-C connectors gathering dust, corrosion, etc, and the socket trying to deliver tens of watts, or a hundred to a device that tells it to do so, creating a resistance point that can overheat and catch fire.

I brought this up before, and I'll say it again: Who thought it was a good idea to send upwards of 100W through the tiny pins of a USB-C connector? Much thicker wires and plugs are used for these kinds of loads for a reason. And micro-USB/USB-C absolutely SUCKS when it comes to

Less current than 2.1 amp micro USB

[raymorris]

> Who thought it was a good idea to send upwards of 100W through the tiny pins of a USB-C connector?

Electrical engineers, that's who.

A USB-C pin actually carries LESS current than the older USB ports did with a 2.1 amp charger.

USB 1.0 - 3.0 had one pair of power pins, always at 5V, carrying as much as 5 amps on one pair of pins (battery charging v1.2 spec).

USB-C has four sets of power pins, which each carry no more than 1.5 amp. So much LESS than the old cables.
It is the amperage, or current, that deter

Re:

[raymorris]

Btw of 20V just feels like a lot in a small connector, the old-fashioned phone jacks in your house provide 48V DC. The ring tone is 90V AC on top of that. Meaning 138V peak.

Re:

[drinkypoo]

Those things scare me because the USB C plug looks small enough to shove into the mains socket and US ones don't have shutters like we do in the UK.

The new ones mostly do. It's gotten pretty hard to find unshuttered outlets.

Re:

[AmiMoJo]

So how do you insert the plug? I mean what moves the shutters?

Re:

[bws111]

The shutters are internal. The prong on the left side opens the right side shutter and vice-versa. You insert the plug as normal, both prongs must be inserted for the shutters to open.

Re:

[Megane]

The wider prong is the neutral wire anyhow. It's not the same as the ground wire, but it's the center tap of the 230V incoming feed, and it's at ground potential, more or less. No way would USB C or micro-B fit in the hot prong, it's way too small, but even the neutral is also too small.

My problem is that they cost $25 each, as opposed to like $2 for a regular outlet. That's really expensive to do a whole house with them. I only use them when making super extension cords where a bad outlet end is replaced

Re:

[MasseKid]

This is no different than that "killer USB stick" that was vogue for a little while. Man with hammer can destroy your computer in seconds, news at 11.

Re:

[sjames]

The problem is crappy devices where you can replace the firmware just by plugging in to the charging cable. For example, bad guy plugs in to a courtesy charger offered at the airport for a few minutes. Next user gets a nasty surprise.

Re:

[AmiMoJo]

They destroy some random person's phone and all they had to do was go to one of the most highly surveiled, cop laden places to do it.

Re:

[sjames]

Just put a random factor in it, suddenly no evidence of who did it or when. Surveillance just shows a series of people charging their phones. Meanwhile, what are the odds the cops even know what firmware is?

It sounds irrational, but the world has an unfortunate number of trolls in it. Other targets include coffee shops and tourist centers. People have been dumping viruses and trojans on the internet long before anyone figured out how to turn it into a highly illegal extortion plot.

Re:

[Opportunist]

Plus, guess where that guy takes that soon-to-explode cellphone...

Re:

[drinkypoo]

If they can replace the firmware, and the device stays on for long periods (which it will, since the airport has very reliable power) they can zap the 666th person who uses it after they do, or the next person who connects after a power outage. Either way, any suspicion will be drawn away from them...

Re:

[AmiMoJo]

I think this XKCD applies: https://m.xkcd.com/1958/ [xkcd.com]

Re:

[sjames]

Really, it shouldn't need an upgrade. It's quite possible that it was just a default for whatever devkit they used and nobody bothered to disable it for production.

Re:

[Joe_Dragon]

http://www.fiftythree.org/ethe... [fiftythree.org]

Re:

[jfdavis668]

Computers are a passing fad.

Re:

[kenai_alpenglow]

Depends on what she looks like--some of those 1950/60 era computers where HOT!!

Re:

[iggymanz]

Hey that Mark I was a looker too, you can't beat rotating shafts and clutches.

No fuse?

[Joe_Dragon]

No fuse?

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Pascoea]

He never said it had to be user replaceable. Plenty of devices have soldered on SMT fuses.

Re:

[LynnwoodRooster]

Heck, don't even need that. A PTC is typically plenty good and can be purchased for around $0.02 in big quantities. Self-resets, too!

Re:

[Fly Swatter]

Congratulations, by adding those to 1,000,000 units you just cost us a profit of 20,000.00. Don't do it.

-Accounting dept.

Re:

[LynnwoodRooster]

One house even getting smoky from one of those 1,000,000 units will eat up 100 times that "cost" in just legal fees, let alone lost revenue from a drop in sales.

Nice Too Know (sic)

[I75BJC]

I appreciate these Chinese researchers letting us know about this. They didn't have too. But I wonder, why are they telling us this? Is it FUDsplaining or to tell us not to buy fast chargers that Chinese companies make?

Regardless, this is a reason to stick with Name Brand charger and to avoid the knock-offs, counterfeits, and unknown brands.

Maybe this is just an attack on the world's economy. If you can't trust your charger, who can you trust?

Re:

[thegarbz]

Oh please. 35 different models from 8 different vendors and half were found faulty. You can basically assume that every Chinese charger is one identical knock-off and the other 17 are likely brand name chargers. The reality is that specs are poorly implemented even from brand name vendors.

Now what is truly amazing here is that Chinese chargers often provide the ability to burst into flames without some firmware attack. So just buy Chinese and skip the middleman :-)

Re:

[Opportunist]

They may even have the specs properly implemented, all it takes for this to work is a firmware update via USB.

Re:

[mysidia]

Regardless, this is a reason to stick with Name Brand charger and to avoid the knock-offs, counterfeits, and unknown brands.

Not necessarily... Its a reason to investigate your charger and perhaps a reason to favor more and stronger standardization and compliance testing of charging protocols and products, so you can actually make an informed decision and not have to do it again for every single chargeable device you own.

The so-called "Name Brand" charger is not necessarily always superior. "Cheap" knock-

Re:

[sjames]

Welcome to the 21st century where the name brand *IS* the cheap knock-off with a more expensive name badge stuck on it.

A simple fix for this

[djp2204]

Non volatile memory for devices such as these

Re:

[Impy the Impiuos Imp]

I hear if you reprogram an X-ray device you can kill someone, too.

Re:

[kenai_alpenglow]

what was the radiation device w the bad SW? beta radiation I believe. No need to re-program it!

Re:

[Opportunist]

How likely is it that they allow you to plug in some random device into their x-ray machine?

Re:

[thegarbz]

That's not how this works. Non-volatile memory just means that the fatal bug won't be fixable.

Re:

[Opportunist]

Then throw the fucking thing away and get a new one. It sure beats dealing with a burning iPhone and then buying a new one.

Re:

[thegarbz]

Then throw the fucking thing away and get a new one.

I don't think you understand where the problem sits. The issue is exploitable as common bugs during negotiation. Non volatile memory means a proposed firmware update couldn't fix the problem (specifically called out in TFA), and simply going and buying another one gives you precisely zero assurance that the new one doesn't melt device either.

Re:

[Opportunist]

If the charger cannot receive a firmware update, you cannot flash malicious firmware onto it. Yes, that means you have to throw it away should you notice that the firmware is faulty, but then again, how many people do you think would even be able to do a firmware update on their charger, or even know that something like that is a thing?

Oddly sounds like modern USB.

[Fly Swatter]

Bad firmware, or bad cable and poof goes the smoke.

If you're gonna brand a bug, do it right

[GameboyRMH]

BadPower is the best they could come up wih? Not FirePower or EvilPower MagicSmokePower?

Re:

[Tablizer]

"Dammit Jim, I'm a hacker, not a Gen-Z marketer!"

Re:

[Opportunist]

How good are you at coming up with cool sounding Chinese names for bugs?

Re:

[CaptainLugnuts]

How racist do you want it?
RucasMagisSmoke!

Re:

[hackertourist]

They should have named it FireWire. Truth in advertising FTW!

Only applicable if your charger is "smart"

[mark-t]

Because I'd like to know how a diode bridge, voltage regulator, resistor, and a capacitor are considered "firmware"?

Re:

[CaptainDork]

You're not looking at the correct schematic diagram, obviously.

Re:

[Opportunist]

Hey, considering what we currently call "AI", this sure qualifies as "smart", at least!

Risks of outsourcing critical infrastructure

[Nkwe]

Anytime you let a third party handle your critical infrastructure and don't have protections in place to deal the the possibility that your outsourcer doesn't do what you asked, you take a big risk. In this case it sounds like device manufacturer's are trusting that the chargers are going to faithfully follow the charging protocol, and don't have protections in place if the protocol is not followed. Granted there there is always the possibility that a charger could catastrophically fail and deliver line voltage, but a software error should never cause that. It is quite conceivable that a software error could cause the charging protocol to send the wrong voltage (within the expected range of available voltages) and fully trusting the charger to behave is pretty risky.

No physical access required.

[Gravis Zero]

A BadPower attack is silent, as there are no prompts or interactions the attacker needs to go through, but also fast, as the threat actor only needs to connect their attack rig to the fast charger, wait a few seconds, and leave, having modified the firmware.

Here's the thing, if they have already have access to your device then they can reprogram a vulnerable charger. It could be a new form of ransomware: pay me $20 or I'll melt your phone when you charge it.

Alternatively, if you are a state actor and wanted to burn down someone's house then this is the ticket.

Re:

[jarkus4]

Doesn't really work for ransomware, if you warn someone they can just avoid charging the device.

Re:

[Opportunist]

Plus, you can't really follow through with the promise of not frying their phone, because the next time he plugs it in, it will be fried before the phone could send the defusal firmware.

Re:

[Gravis Zero]

Yes... but that means they also can't use it anymore, hence the ransom.... or do you have nuclear batteries in your devices?

Re:

[account_deleted]

Comment removed based on user account deletion

We had this discussion back in 2015

[TuballoyThunder]

Plugging into random USB ports is a bad idea [slashdot.org].

old problem

[OrangeTide]

I worked on a PoE switch/voip router and we had a bug in our early engineering units. If you plug one PoE source into another, for example to bridge two routers together. Then the units would run away trying to drive the other and go up in smoke.

Q.A. discovered this and decided to reproduce (wtf). We put a halt on testing after four units were ruined. We didn't have a lot of extras and they were partially hand assembled preproduction units of enterprise hardware. Not cheap to waste. Once the problem was resolved, testing was resumed.

Wait...

[Rick Zeman]

...I thought cheap Chinese chargers did this anyway!

So is updating firmware the problem or solution?

[Headw1nd]

Reading the article (I know, I'm sorry) it seems like this is caused by a plugged in device changing parameters in the firmware, however when discussing affected chargers one of the researchers says that several vulnerable models can't be fixed because the firmware can't be updated. What I don't understand is if the firmware can't be updated, then how can it be modified by the attacker?

Re:

[bws111]

Yeah, the article does not make much sense. My guess is that some chargers do not check the 'charging parameters' requested by the device for sensible limits. If the firmware in the device (not charger) is altered so it asks for more power than the device can safely handle, bad things happen. Some chargers may check the limits, so they may not be vulnerable (although it would seem you could still program a 'low charging power' device to request more power than it could handle,even if that power is within

Re:

[Opportunist]

Maybe the problem is that you can't update the firmware in such a way that it could not be overwritten anymore with malicious firmware.

Re:

[Waccoon]

Controller software is in the microcontroller flash, but the configuration settings are in external flash? That would mean you could exploit and clean a device, but can't patch out the vulnerability.

Things get a bit weird once you step into the sub ten-cent microcontroller market. I've heard of some that are as little as three cents.

Samsung claims

[93 Escort Wagon]

... prior art.

Good News / Bad News

[mencik]

From the article - "The bad news is that the research team also analyzed 34 fast-charging chips, around which the fast charger models had been built. Researchers said that 18 chip vendors did not ship chips with a firmware update option, meaning there was no way to update the firmware on some fast charger chips." I'm confused. Why is this bad news? If you can't update the firmware, the attack doesn't work. To me, that is good news.

Re:

[bws111]

I don't think the 'attack' involves changing the firmware in the charger. I think (it is very hard to tell from TFA) that the attack causes the phone (or whatever) to request more power than it can handle. I don't know what the supposed 'fix' to the charger is - maybe put limits on power delivered regardless of what is requested?

Re:

[mencik]

I think it was pretty clear that the attacks was a change to the firmware of the charger. So, if the firmware of the charge cannot be changed, that would preclude the attack.

Maybe it will make EEs more careful

[LynnwoodRooster]

A transzorb and PTC are dirt cheap to add. Seriously, never assume your input voltage levels are going to be safe. As a side-effect, you tend to eliminate ESD issues as well.

WW3 gonna be even weirder than Covid

[Tablizer]

If WW3 ever starts, countries will unleash a barrage of unpublished hacks to F up a lot of devices and infrastructure, perhaps even setting cities on fire and poisoning the air and water by over-releasing standard solvents and cleaners.

Re:

[Opportunist]

Why do you think that's not already the case?

Re:

[bws111]

You have it backwards. The DEVICE, not charger, should be what must be protected. UL does not say there will never be a voltage spike delivered to your device, it says that if there is a voltage spike the device will not burn your house down.

Putting the protection in the device producing the power doesn't make sense, because a single failure (and there is always the possibility of failure, whether a design defect, manufacturing defect, misuse, damage, etc) can lead to disaster. Putting the protection in

Re:

[bws111]

Because it doesn't make sense. The charger doesn't 'know' what it is charging, it just knows it was asked for a certain amount of power. If it can deliver that power without damaging itself it has met the requirements. Suppose you have some appliance that is plugged into a normal household outlet, capable of delivering 15 amps. Inside the applicance, the wiring is such that it can only handle 5 amps without overheating and catching fire. Something fails in the appliance, and suddenly it is drawing 10 a

Re:

[bws111]

Using your 'extension cord' example. UL will test things like it can handle its rated current without overheating, the insulation won't become brittle and fall off, the ends are not easily pulled off leaving exposed wires, etc. I have a bunch of UL-rated exension cords, not one of them has a hardened steel casing to prevent someone from 'maliciously tampering' with it and shaving insulation off leaving exposed wires, etc. Criminal activity is not in the scope of UL testing.