BadPower Vulnerability In Fast Chargers Might Make Phones Halt And Catch Fire

A few days ago, Chinese researchers from technology giant Tencent released a paper outlining a firmware vulnerability in several types of fast charger power bricks (translated). The attack is known as BadPower, and it works by altering the default parameters in the firmware of fast chargers to deliver more power to devices than they can handle, which can cause them to overheat, melt, or catch fire.

The ancient and basic USB charging spec provides 0.5 A at 5 V, which is equal to 2.5 W. In theory, that’s all you’ll ever get from those types of chargers. But the newer generation of chargers are different. When you plug your phone into a fast charger, it negotiates a voltage and charging speed with your phone before passing it any power.

Fast chargers can push power at 20 V or more to speed up the charging process, depending on the charger and connected device. If the phone doesn’t do fast charging, it will default to the 5 V standard. Researchers claim the BadPower attack is capable of harming devices whether or not they include a fast charging feature. When a capable device is connected, the charger will still negotiate for 5V, but instead give 20V and wreak havoc.

In the demo after the break, one of the team uses a malicious device disguised as a phone to push the BadPower firmware change to a fast charger that’s hooked up to a voltmeter. Before the attack, the charger gives 5V. After the attack, it gives 5V for a few seconds before jumping up near 20V. Then they connect the now-dirty charger to two identical illuminated magnifying glasses. In one the chip lets the smoke monster out rather violently, and the chips of the other emit sparks.

The researchers tested 35 of the 200+ fast charging bricks currently on the market and found that 18 of them were vulnerable to BadPower, including 11 that can be exploited through the charging port itself. They believe the issue is fixable with a firmware update.

What is not available is enough information to verify this research, or a list of brands/models that are vulnerable. Researchers say the findings were submitted to the China National Vulnerability Database (CNVD) on March 27th, so the absence of this information may be a product of manufacturers needing more time to patch the vulnerability.

What do you think? We say halfway decent chargers shouldn’t be open to firmware attacks from the devices they are charging. And any halfway decent phone should have built-in electrical protection, right?

Via ZDNet

21 thoughts on “BadPower Vulnerability In Fast Chargers Might Make Phones Halt And Catch Fire

  1. Allowing higher voltages through the same old USB plug was a dumb idea from the beginning, there’s lots of stories of chargers frying devices even without intentionally malicious firmware.

    High voltage USB should have used an extra pin in USB-C plugs for the higher voltages and only be allowed with USB-C to USB-C cables instead of potentially feeding 20v to absolutely anything with a USB connector.

    1. USB PD already specifies all this. No properly designed sink connects Vbus directly to the system, it always has to go through overvoltage protection and only be connected *after* negotiation is complete. If it’s not properly designed, then no amount of “should have” is going to help.

      1. You’re forgetting “old” devices that are only compliant to USB 2.0 / 3.0 specs that didn’t have any of this and that don’t do any negotiation and just expect (righly so according to specs) that Vbus is between 4.5V and 5.5V.

        New specs defines cables to plug those devices to usb-pd bricks and no active circuit / protection is mandated in those cables.

        1. Proper PD sources will deliver high voltages *only* to proper PD sinks. The only instance where your example applies is if both sides are not complying with the standard (a PD source that has been compromised with malware is also non-compliant.) How can the standard be expected to magically protect against problems with hardware that isn’t following it?

          Even if you can think up a mitigation for *this* specific malware scenario, that doesn’t protect against the ones you haven’t thought of yet.

    2. I like the idea of a dedicated pin too. And rather than negotiating it can just always be 20V. This way instead of having a ton of wallwarts in every room we can just have a single unit with a 5v and a 20v power supply and a whole bank of USB connectors in each room where one might need to charge things.

      If 20V isn’t high enough to be future proof for at least the next couple of decades then make it higher but make it constant and consitant.

      In every room where chargers are needed I just want one stand made of flame proof material containing this dual voltage supply with enough amps to handle all my family’s devices and more USB sockets than I can ever fill. And then I want no other wallwarts in the house!

      I guess that almost sounds like having DC outlets but I don’t want to loose all the energy as heat in the walls. I’ll keep AC outlets and just have one DC supply per room please.

  2. From personal experience – my wife’s cheap Chinese phone somehow managed to put a fast charger to 9V. It was charging, a few seconds later it was smoking from connector port.

  3. I definitely don’t want to say it is fake, but the video does not show correct test:
    In the video, the first test is run for ca 5sec fine, but in the second test, the voltage changes to 20V only after 10sec so there could have been no change to the charger at all.
    We also don’t see what is at the other end of the cable – it could be connected to a device which negotiates those 20V.

  4. “What do you think? We say halfway decent chargers shouldn’t be open to firmware attacks from the devices they are charging. And any halfway decent phone should have built-in electrical protection, right?”

    I think by now, any halfway decent hackaday reader should be paranoid of public charging ports. I carry a 20Ah battery pack so i don’t have to find a public charging port. I considered getting a usb condom so i can use public ports without worrying about accidentally connecting to a rogue pc in disquise or something. Now i wonder about building or buying a buck/boost converter to handle the spike and drop it down to 5v at best, or burn out instead of my phone at worst.

  5. There were older phones that had separate USB and charging unit, but this was ditched because one had to have a lot of different chargers. someone had the idea to use usb-micro as a charger port. That seemed a good idea at the time. Except that Apple didn’t follow. Except that USB 3.0 made to use different cables. Except that there were high current chargers that messed up all.
    A better solutio nas to mandate a standard coaxial connector or anyway a standard-defined connector with both maybe using 12V/13,8V and built from the start to be a power supply one.

    1. Apple’s lightning did a pretty good job here. “Fast” charge, easily enabled by setting some standard resistors in the USB lines. And the port is good to at least 12V, as I discovered when I tested my cheap car charger and found I’d been charging my phone on 12v for months.

      The rule is simple – if you’re plugging a device into a port you don’t own e.g. in a public place, caveat plugger. Why settle for 20v? If you’re leaving a USB port around for idiots to plug into, you might as well wire it direct to mains. This hack just makes it a bit more subtle if you want to turn public USB chargers into nasties. However, I’d hope any public charger would be a fairly well designed industrial one, cable to handle full load without overheating despite being installed inside a box/table etc, and able to handle an outright short without damage. So the chances of it using a firmware susceptible to this is smaller?

      The new issue here is that a bad device (e.g. cable) could permanently reconfigure your own (“trusted”) charger to output 20v. It would be relatively easy to leave cables around an office or something and people aren’t used to seeing cables as an attack vector, though they should, that’s been shown on HAD before.

  6. I attended an internal factory training for a programmable USB-C charging IC about 3 years ago. It took about 5 PowerPoint slides to figure out that I could upload malicious firmware in the field to totally ignore any negotiation and just shove the full voltage down the cable. I brought it up during break but the designers weren’t super interested, citing it as a customer implementation problem. So, I guess make sure you buy chargers from a company that takes security seriously? Good fuckin’ luck.

    1. I had similar some years ago when I cited a loop hole in a software system a vendor of ours was selling. They just dismissed it as nobody will try that, and its not a problem. 20 mins later we had cracked the software and didn’t need to purchase the expensive upgrade package to use it on our new systems. They still dismissed it even when we showed them it had been performed by the 1st level helpdesk guys.

      1. Some years ago, a major manufacturer supplied the mechanical test frames and software used in our research test facility. They were informed by the head of our lab, who was an eminent PhD researcher in engineering materials, of a flaw in the calculations their software used to calculate modulus of elasticity. They repeatedly told him there was no error. Yet magically, a future update performed the correct calculation. Future test frame purchases were. made from their competition. And our test facility continues to this day to export the raw data and do their own calculations, no matter which vendor the test machine came from. Eternal vigilance…

  7. “When you plug your phone into a fast charger, it negotiates a voltage and charging speed with your phone before passing it any power.”

    Seems “negotiation” should be as dumb as possible. Have to get it right the first time, but once done one doesn’t have to fool with it. Harder to fiddle with as well.

    1. Mains handles this pretty well – it offers 240v at 13A. If f the device doesn’t want that, it’s free to use fewer amps. It’s a pretty failsafe method. :P

      USB shouldn’t have pushed 20V over what everyone agreed were 5v lines.

      1. Respectfully Apples to Oranges. The simple mains system, can’t deliver the fast recharging of portable devices, consumers desire. Not in the compact form factor, the consumer has become accustomed to.Not with inexpensive devices, consumers have become accustomed to anyway to, anyway. A simple bladed (pins?) fuse could protect the device, but phones in particular dont have the space. Any a consumer who gets pits pissed off, because their device didn’t get charge, are going to defeat an easy to replace fuse.

        1. Well. that didn’t make sense, I swear I was sober. Apple to oranges, because consumer, do’t yet desire that level of complexity of power delivery from the mains, as they xpect from a charging unt to charge their portable devices quickly.All the mains has is to have x amount of power available, and open the circuit, if the current exceeds a set limit. Perhaps am automatically resetting breaker in the charger end could be a solution. I imagine the bean counters would nix that. Like fuses a circuit breaker defeat by any bozo POd that their devices are being recharged. Oh well not a problem I imagine myself having. My I can’t afford such modern devices

    2. Like USB when it was introduced over 20 years ago, using a USB port for charging *was* simple. Just shorting the data lines would enable upping the power from 0.5 amp to 1 amp.

      Then companies like Apple and Samsung decided to make their wall wart chargers “smarter” by implementing a specific resistance across the data lines, which their phones and tablets would check for, then the device would draw power up to what the charger could supply. The chargers were also cross-compatible by acting as a plain USB port with unshorted data lines to provide 0.5 amp to other brands of devices.

      With a bit of wire cutting and soldering, and knowing the proper resistor values, one can make cables to plug between chargers and devices to make the devices pull as much power as they’re capable of, as long as the charger is up to the task. Shouldn’t be difficult to make a little box with a knob to switch from generic 1.0 amp to Samsung, to Apple, to ??? to plug into any USB port.

      There are chips that can auto-detect and negotiate power delivery with many types and brands of devices, but AFAIK in a commercial product they only come in a 3rd party wall wart.

      I want one that’s in a lump in the middle of a USB cable so it can be used with any charger or USB port. It should be able to test the supply and device sides then set up for the maximum power throughput available.

      I installed a dual USB charge port in a truck, the box says 3.0 Amp but only the power lines are connected to the molded port connectors. So anything to pull more than 0.5 Amp would have to be plugged into the “dumb” port.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.