Researchers at Tencent Security Xuanwu Lab have discovered a vulnerability in many popular fast chargers. The Chinese technology firm warns that hackers have found a way to remotely manipulate the charging process of smartphones -- not to steal data, but “to achieve destruction of the physical world through digital means.”
The hack, dubbed “BadPower,” can destroy a user’s smartphone or even potentially set it on fire. The research team said the attack involves corrupting the firmware in a charging device in such a way that prevents it from agreeing on a set voltage. This creates the potential to overload a device with more voltage than it can handle.
Tencent says “all products with BadPower problems can be attacked by special hardware, and a considerable number of them can also be attacked by ordinary terminals such as mobile phones, tablets, and laptops that support the fast charging protocol.”
Tencent identified 234 rapid chargers on the market and tested 35 of them. Of those 35 charging devices, at least 18 “had BadPower problems,” said Tencent, which released a video demonstrating how the manipulation could be carried out in its report.
The team said the vulnerability could be fixed if affected manufacturers released the appropriate firmware. Tencent has reported the issue to the China National Vulnerability Database (CNVD) and said it will discuss mitigation techniques with manufacturers. Tencent’s suggestions to fix the problem include hardening firmware to prevent unauthorized modifications and adding overload protection to charged devices.
While the vulnerability exists, the researchers advised users not to plug basic 5v devices into fast chargers with a USB to USB-C cable and to be wary of loaning your phone charger or power bank to others.