Fast charging tech is the latest fad in the smartphone industry, and manufacturers are competing to develop super-fast charging technology, including 100W and 125W charging in recent times. But a new vulnerability dubbed ‘BadPower’ can corrupt fast chargers to melt/burn or set your smartphone on fire.
Researchers from Chinese tech giant Tencent discovered the vulnerability. They said that the firmware of fast chargers could be altered to damage connected (charging) systems and melt the components, or even set mobile devices on fire.
The technique, dubbed BadPower attack, was mentioned in a report published last week by Xuanwu Lab (a research unit of Chinese tech giant Tencent).
How does BadPower attack burn smartphones?
To understand this, let’s talk about how fast chargers work in general:
A fast charger may look like your regular charger, but it comes with special firmware. The firmware can “communicate” with the connected device to negotiate a charging speed based on the device’s capabilities.
If the device doesn’t support a fast-charging feature, the fast charger delivers the standard 5V of electricity. But if the device can handle bigger inputs, the charger can use 12V, 20V, or even faster-charging speed.
The BadPower attack corrupts the firmware of fast chargers. It alters the default charging parameters and tampers it to push a higher voltage than the charging device can handle. This damages and degrades the receiving device’s components, leading it to heat up, melt, bend, or even burn.
18 out of 35 Fast Chargers found vulnerable
The Tencent research team tested BadPower attacks on selected 35 fast chargers from 234 models available on the market. They found that 18 models from 8 different vendors were vulnerable to this flaw.
While the BadPower flaw can be fixed in several fast chargers by updating the device’s firmware, the researchers said that 18 chip vendors did not ship chips with a firmware update option. This means there is no way to fix the vulnerability in those devices.
BadPower attack: Quick and silent
The fact that BadPower attack is a silent one makes it deadly. The attacker is at no risk of raising any alarm; all they need is to connect their attacking rig to the fast charger. The worst part is that it can be done within seconds.
It gets even worse. With some fast chargers, the attackers don’t even need hardware. They can load the attack code to modify the firmware on the target smartphone or laptop. When a victim connects their infected smartphone or laptop to a fast charger, the device could go up in flames.
It is to be noted that the extent of damage caused by a BadPower attack would vary depending on the fast charger model and also on the mobile device and protection against malicious code.