Dangerous BadPower Hack Can Destroy Fast Chargers And Set Devices Ablaze

phone charger

Security researchers from China have outlined a new attack dubbed BadPower that can alter the firmware of fast chargers to cause damage to power systems of connected devices. Using the technique, the researchers say they can melt components or potentially set devices on fire. BadPower was detailed last week in a report published by Xuanwu Lab, which is a research unit of Chinese tech giant Tencent.

BadPower works by corrupting the firmware of fast chargers, which are a newer type charger developed in the last few years that enables battery of smartphones and laptops to be topped off in rapid fashion. One key difference between regular chargers and a fast charger is the firmware inside the latter that can talk to connected devices to negotiate charge speed based on the device's capability. That firmware can determine if fast charging is supported and, if not, delivers a standard 5V charge.

tencent burn
(Image via Tencent)

BadPower alters the default charging parameters to deliver more voltage than the attached device can handle. That additional voltage degrades and damages the receiver components inside the connected device, causing components to heat up, bend, melt, or even burn. The researchers say that the attack is silent, with no prompts or interactions needed to be performed by the attacker.

Essentially, the victim only needs to plug their device into a fast charger that has the corrupted firmware for the attack to take place. Setting up the attack is said to be very quick, with the attacker only needing to connect their properly configured attack device to the charger, wait a few seconds for the firmware to be modified, and walk away. On some fast chargers, no special equipment is needed, and the attack code can be loaded on a smartphone or laptop.

Once the modified firmware is installed, the fast charger will perform a power overload on any subsequently connected device. Researchers noted that out of 35 fast chargers tested, 18 were vulnerable to their attack. The team also analyzed 34 different fast charging chips used in the latest fast charger models and found that 18 vendors shipped chips that lacked upgradable firmware leaving the vulnerability unpatchable. BadPower is a particularly nefarious attack that would likely result in the smartphone vendor being blamed for the fire if executed in the wild.