BadPower attack could burn your phone a fast charging bug discovered by tencent

Tencent Security Xuanwu Lab found a new type of safety problem in some fast charging (hereinafter referred to as fast charging) products and named it "BadPower".
Using BadPower, an attacker can hack into devices such as chargers that support fast charging technology, causing the intruded device to output an excessively high voltage when powering externally, resulting in breakdown and burning of the components of the powered device, and even further damage to the powered device. The physical environment where the equipment is located creates a safety hazard

• technical background

Fast charging technology is a kind of charging technology through USB interface that has just emerged in recent years.
Early chargers with USB interfaces can only output a small amount of power, and it takes several hours to fully charge the phone. The current fast charging technology can provide at least a maximum voltage of 20V and a power of 100W. Charging devices that support fast charging technology can charge mobile phones in tens of minutes, and can even supply power to larger power devices such as laptops and desktop monitors. So fast charging technology has become a hot spot in the industry in just two or three years. Almost all new digital products such as mobile phones, tablet computers, and notebook computers support fast charging technology. A large number of chargers, power banks, car chargers and other products supporting fast charging technology have also appeared on the market.
The fast charging operation is completed by the power supply terminal, the charging cable and the power receiving terminal. When the power supply terminal and the power receiving terminal are connected through the charging cable, power negotiation and communication will be carried out first. A power supported by both parties is to be negotiated, and the power supply end will supply power to the receiving end with this power.
Both the power supply terminal and the power receiving terminal run a set of procedures to complete the power negotiation and control the charging process. This set of programs is usually stored in the firmware of the fast charge management chip at the power supply terminal and the power receiver terminal.

• Problem Description

The fast charge protocol not only includes power transmission function, but also data transmission. Some manufacturers have designed interfaces that can read and write built-in firmware in the data channel, but they have not performed effective security verification of the read and write behavior, or there are problems in the verification process, or the implementation of the fast charge protocol has some memory corruption problems. Attackers can use these problems to rewrite the firmware of the fast charging device to control the power supply behavior of the device.
Under normal circumstances, for power receiving devices that do not support fast charging, the fast charging device will provide a 5V power supply voltage by default. But by rewriting the code that controls the power supply behavior in the fast charging device, the fast charging device can input a maximum voltage of 20V to these power receiving devices that can only accept 5V voltage, resulting in power overload.
Even for a powered device that supports fast charging, a malicious charging device after being controlled can tell the powered device that it will provide a 5V voltage in the power negotiation, but it actually provides a 20V voltage.
All products with BadPower problems can be attacked through special hardware, and a considerable part of them can also be attacked through ordinary terminals such as mobile phones, tablets, and laptops that support fast charging protocols.
The process of a typical BadPower attack initiated by special hardware is as follows:
1. The attacker used a special device disguised as a mobile phone to connect to the charging port of the charger to invade the internal firmware of the charger.
2. When the user uses the hacked charger to charge other devices, the charger will perform a power overload attack on the powered device.
The process of a typical BadPower attack through an ordinary terminal is as follows:
1. The attacker invades the user's mobile phone, notebook computer and other terminal devices in some way, and implants malicious programs with BadPower attack capabilities in them, making the terminal device an attack agent of BadPower.
2. When the user connects the terminal device to the charger, the malicious program in the terminal device invades the internal firmware of the charger.
3. When the user uses the hacked charger to charge the device again, the charger will perform a power overload attack on the powered device.
Influence consequences
BadPower does not cause data privacy leakage like traditional traditional network security issues, but it can destroy the physical world through digital space.
Xuanwu Lab tested a variety of different power receiving equipment in the research, and found the consequences of power overload generated by BadPower and the voltage and current during overload, as well as the circuit layout of the power receiving equipment, the selection of components, and even the shell material and internal structure Etc. are related. A few power-receiving equipment with better overload protection can not be affected by BadPower power overload attack. However, in most cases, power overload will cause the relevant chips in the power receiving device to break down and burn out, resulting in irreversible physical damage. In rare cases, BadPower attacks may also affect the security of the physical environment around the device.
The damage to the chip due to power overload cannot be controlled and predicted. Therefore, the destruction of the chip may also lead to other secondary consequences. In our tests, we have observed that after a certain device is attacked, the resistance between the two pins of the broken chip connected to the positive and negative electrodes of the built-in lithium battery has changed from infinity to tens of ohms.

• Sphere of influence

The price of fast charging products is low, and user demand is great. At the same time, more and more products that support fast charging technology are now on the market, and are equipped with chargers that support fast charging technology. Therefore, the number of users affected by the BadPower problem is very large, and if the problem is not resolved, the number of users affected will increase.
During the investigation, Xuanwu Lab found that there are at least 234 fast charging devices on the market. Xuanwu Lab actually tested 35 of them, and found that at least 18 of them had BadPower problems, involving 8 brands. Among the 18 models, 11 models can be attacked through digital terminals that support fast charging.
At the same time, Xuanwu Lab investigated 34 fast-charging chip manufacturers and found that at least 18 chip manufacturers produce chips with the function of updating firmware after finished products. If safety issues are not fully considered when designing and manufacturing products using these chips, BadPower may result.

• Safety advice

Most BadPower problems can be fixed by updating the device firmware. Device manufacturers can take measures to repair BadPower problems in sold products according to the situation, such as helping users update the firmware of charging devices through maintenance outlets, or issuing security updates to mobile phones and other terminal devices that support fast charging technology through the Internet, and upgrade charging The firmware in the device.
When designing and manufacturing fast charging products in the future, you should pay attention to:
1. Perform strict legality verification on the behavior of updating firmware through the USB port, or not provide this function;
2. Perform strict security checks on the device firmware code to prevent common software vulnerabilities.
At the same time, we also suggest adding technical requirements for safety verification during firmware update to the relevant national standards for fast charging technology. It is recommended to add components such as chip fuses to non-fast charging and receiving equipment powered by the USB interface, or an overvoltage protection circuit that can withstand at least 20V. It is recommended that powered devices that support fast charging continue to check the input voltage and current after power negotiation to confirm that they meet the negotiated range.
Ordinary users can also take some measures to mitigate the threat of BadPower. For example, don't easily give your own chargers, power banks, etc. to others. At the same time, it is recommended not to use Type-C to other USB interface cables to allow the fast charging device to supply power to the powered device that does not support fast charging. Because the overload protection of the power receiving equipment that supports the fast charging technology is usually better than that of the power receiving equipment that does not support the fast charging technology. In the event of a power overload, equipment with better overload protection may cause lighter consequences and may not even be affected.
Xuanwu Lab has reported this security issue to CNVD on March 27, 2020, and actively promotes the industry to take measures to deal with the BadPower issue together with related manufacturers, and will also coordinate with industry forces to accelerate the formulation and promotion of related security standards. Since we cannot test all products on the entire market, we also call on more manufacturers in the ecological chain to pay attention to this issue. Xuanwu Lab will continue to research related issues and find better solutions.