Not all cyberattacks focus on data theft. Sometimes the intent is “to achieve the destruction of the physical world through digital means,” Chinese tech giant Tencent warns. The company’s researchers have just disclosed a serious new vulnerability in many of the mass-market fast chargers now used around the world.
When you connect your device to a fast charger with a USB cable, there is a negotiation between the two, establishing the most powerful charge the device can safely handle. This negotiation is managed between the firmware on the device and the firmware on the charger and assumes both will play nicely with one another.
But Tencent’s researchers have now proven that a compromised charger can override this negotiation, pushing more power down the cable than the device can safely handle, likely destroying the device and potentially even setting it on fire.
Because the fast charger is essentially a smart device in its own right, it is open to a malicious compromise. An attack is very simple. With malware loaded onto a smartphone, an attacker connects to the charger, overwriting its firmware and essentially arming it as a weapon for whatever plugs into it next.
The interesting twist here is that the malware might even be on the target device. An attacker pushes that malicious code to your phone. The first time you connect to a vulnerable fast charger, the phone overwrites its firmware. The next time you connect to that same charger to repower your device, your phone will be overloaded.
Tencent has produced a demo video, showing how a charger can be compromised and then used to overload a device.
Tencent has dubbed this issue “BadPower,” and warned that “all products with BadPower problems can be attacked by special hardware, and a considerable number of them can also be attacked by ordinary terminals such as mobile phones, tablets, and laptops that support the fast charging protocol.”
The researchers identified 234 fast chargers on the market and tested 35 of them. Of those, they found “at least 18 had BadPower problems and involved eight brands.” Of those 18 charging devices, 11 were vulnerable to a simple attack through a device that also supports the fast charging protocol, such as a mobile phone.
According to the researchers, while there is a risk with devices that are designed to be fast-charged, the greater risk is with those that are not. Their advice is not to plug basic 5v devices into fast chargers with a USB to USB-C cable.
The research team at Tencent’s Xuanwu Lab reported the issue to the China National Vulnerability Database (CNVD) and will also engage with affected manufacturers, they say, on mitigation techniques. Clearly, with this issue disclosed, revised standards need to be put in place.
So, is this really an issue for you to worry about? That depends. There is a broad problem here, with wide-scale safety measures not yet in place. This means the chargers you buy online—with no way of knowing which might be vulnerable—could damage your device or worse. Sticking to well-known manufacturers is clearly a sensible precaution here, as with any such devices you plug in at home.
There is a slightly darker threat here also, one that impacts those of you that might find yourselves targeted by bad actors. Think dissidents, reporters, protesters. A simple attack that might impact your ability to communicate, to potentially knock you offline, could be relevant. You should take care of the chargers you use.
We have seen warnings before on the use of chargers, either those in public spaces or those we borrow from others. That issue has been all about the potential for data theft when you use a data cable to charge your device and do not know the provenance of the charger itself. We have even seen compromised data cables used for the same purpose, where the cable hides a wireless connection.
That advice—to be careful when you connect your smart device with a smart cable that can do more than simply charge—is the same in both cases.
Beyond the specifics, this is yet another warning on the perils of the fast-growing IoT space, where we buy, plug-in and connect myriad devices. Our homes and offices are now filled with tech, and while we worry about our computers, phones and tablets, we pay little attention to the kitchen gadgets, the smart home accessories, and the toys we buy online from makers we have never heard of before.
You are surrounded by countless little computers, many of which you connect to your wifi and offer a route to the outside world. The issue you face, of course, is all about data and security compromise. This report from Tencent just shows that there are other dangers as well, stemming from that same issue.