Photo by Onur Binay on Unsplash
We live in an era where malware targets smartphones and other devices from the Internet of the Things (IoT) world. This is not a desirable situation, but unfortunately, it happens more frequently and in a destructive way.
Of course, criminals look for other ways to exploit attacks, choosing different pathways and landscapes. Most recently, this is focused on chargers that can attack a smartphone until it melts or burns.
Security researchers recently compromised various chargers with malicious code to deliver more voltage than the connected device could handle. With this approach in place, the overload caused the components inside the affected electronics to spark, sizzle, and melt. The attack is known as bad power. It works by altering the default parameters in the fast charger firmware.
Common fast chargers are potentially vulnerable to this attack.
Let’s understand a little bit how fast chargers work. It may look like a regular charger, but they are built with special firmware. The charger firmware can speak with the connected device to establish a charging speed based on the device’s capabilities — remember that each device has its features and power speed.
If the target device doesn’t support a fast charging feature, the fast charger delivers the standard power — 5V. On the other hand, if it accepts bigger charging inputs, the charger can use 12V, 20V, or even faster-charging speeds. This is the crucial point where the bad power attack can be exploited.
Coming to the stage, the bad power attack corrupts the charger firmware. The exploit changes the default charging parameters in the firmware and tampers with it to push a higher voltage than the charging device can handle. This abnormal behavior damages and degrades the receiving device’s components — leading it, in dramatic scenarios, to completely burn.
These days, exploiting physical and hardware flaws should be considered a common and serious problem. Although bad power can be a beast if the target device is connected to the right charger, the damage caused by this attack would vary, depending on the fast charger model and the mobile device and protection against malicious code.
The researchers didn’t share the name of the vulnerable products, but the specific vendors were contacted. China’s National Vulnerability Database was also contacted about the potential problem. To mitigate and reduce the risks of this attack, it’s suggested that manufacturers add additional fuses to devices that support lower-voltage fast charging. Another suggestion is to include hardening firmware to prevent unauthorized modifications and deploying overload protection to charged devices. Users must be warned about the problems of using third-party chargers or power banks — for example, in cyber-spaces, airports, shopping, etc.
