Silent BadPower Attacks Could Give Your Devices a Meltdown

You must have heard of incidents where electronic devices were caught on fire on prolonged charging. But, did you ever imagine that those devices could also be manipulated to catch on fire?

Researchers demonstrate a new threat

Tencent, the Chinese tech giant, said it is possible to mutate a firmware placed inside fast chargers to heat up the device—to the point of malfunction—using the ‘BadPower’ technique.
  • According to researchers, altering the firmware of fast chargers could lead to components to heat up, melt, or even catch on fire.
  • Reportedly, BadPower corrupts fast chargers that were developed in the past few years to speed up charging times.

The BadPower technique

The special firmware within fast chargers basically communicates with a connected device and decides a charging speed based on the device's capabilities.
  • Since not all devices feature fast-charging, or sometimes it varies from devices to devices, a standard charger delivers 5V.
  • But the problem occurs with the devices capable of handling higher voltages.
  • Devices that meet fast charging speeds can be set up to deliver up to 12V, 20V, and more.
  • Manipulating charging parameters to deliver higher voltages than what the device can handle is essentially known as the BadPower technique.

How does the BadPower Attack work?

These attacks are silent but really fast in nature as an attacker only needs to rig the fast charger, wait for a moment, and leave, as per researchers.
  • Some fast charger models can end up damaging devices with attackers simply tampering with the charger.
  • Whereas, in some cases where chargers aren’t compatible, threat actors can also load malware on the devices.
  • As soon as a user connects their fast charger to an infected device, the malicious code will change the behavior of firmware in the fast charger and execute a power overload command.
  • Researchers tested 35 fast chargers and found 18 chargers, from eight vendors, vulnerable to BadPower attacks. However, the potential damage caused in the attack can significantly vary depending on the fast charger model and its charging capabilities, the device connected to it, and its protection measures.

Is there a fix?

Though most BadPower problems can be fixed by updating the device firmware, not all vendors provide fast chargers to customers with a firmware update option. Meanwhile, researchers have notified all the affected vendors and the Chinese National Vulnerabilities Database (CNVD) about their findings. They hope the vendors and regulatory bodies will adopt relevant security standards to protect against BadPower attacks.