Fast charging technology is developing faster and faster, and several Chinese phone manufacturers have even announced 100W and 125W super-fast charging technology in the past few days.
But there has been a lot of doubt and controversy surrounding the safety of fast charging, including the impact on the phone and battery, as well as pitfalls of the technology.
On July 16, Tencent Security Xuanwu Lab released a report stating that a large number of fast-charging devices have security issues.
An attacker could control the charging behavior by rewriting the firmware of a fast-charging device, causing the components of the device to be charged to burn out or even worse, the report said.
Conservative estimates of the number of devices affected could be in the hundreds of millions, and anything powered by USB could be a victim, the report said.
Tencent has named this security issue "BadPower". This is a report on security issues released by the Xuanwu Lab after "BadTunnel", "Applying Clones", "Remnant Reuse", "BucketShock".
Tencent believes that BadPower may be the world's first attack on the physical world from the digital world with such a wide reach.
Chip burnout during BadPower attack on the device
Xuanwu Lab tested 35 fast-charging chargers, power banks, and more on the market. Eighteen of these models were found to have safety issues. This involved eight different brands and nine different models of fast-charging chips.
With this vulnerability, an attacker could hack into the firmware of a fast-charging device using a special device or a compromised digital terminal such as a phone or laptop.
By controlling the charging behavior it delivers excessive power to the receiving device. This can result in the breakdown and burning of components of the receiving device, and may further pose a security risk to the physical environment in which the receiving device is located.
Attack methods include both physical and non-physical contact, with a significant proportion of attacks being able to be accomplished remotely, with 11 of the 18 devices can be attacked without physical contact via a digital terminal.
Unlike traditional security issues, BadPower does not result in a privacy breach of the user's data, but it does cause real property damage and even threatening personal safety.
Fortunately, however, most BadPower issues can be fixed by updating the device's firmware.
For the average user, don't lend your charging device to others or use fast chargers for devices that don't support fast charging.
Tencent also emphasizes that there is no difference in a security per se between different fast-charging protocols and that the risk mainly depends on whether or not the charging is allowed via USB Port rewriting firmware and whether or not the rewriting firmware operation has been securely verified.
Xuanwu Lab also researched the fast-charging chips on the market and found that close to 60% of them allow a finished product to update the firmware via USB port.
The team, therefore, recommends that products made with these chips be designed with security in mind, with strict control over the security verification mechanisms, the firmware code, software vulnerabilities.
Tencent Security Xuanwu Lab has reported the issue to China's regulator, the CNVD, on March 27 of this year. It is also coordinating with relevant vendors to push the industry to adopt positive measures to eliminate BadPower issues.
Tencent also recommended that relevant departments include safety calibration in the national standard for fast-charging technology.
Xiaomi and Anker are now close partners of Tencent Xuanwu Lab and contributed to this research. The contribution will also be included in future fast-charging products on the market with Xuanwu safety testing.
Tencent Xuanwu Security Labs Q&A:
Q1: What's the approximate impact side of BadPower this time around? Which devices and manufacturers need to pay extra attention to BadPower issues?
A: We are currently analyzing a number of chargers and rechargeable products. But in fact, all devices that support fast-charging technology and can be powered by external power supply may have similar problems.
The fast-charging industry chain manufacturers need to pay special attention to this problem. These include manufacturers of fast-charging devices, as well as manufacturers of fast-charging chips.
Also, any device that is powered via USB can fall victim to the BadPower power overload attack, so at least You should also understand this risk.
Q2: How can vendors address BadPower issues? What do users need to do?
A: Manufacturer: most BadPower issues can be fixed by updating the device firmware.
Depending on the situation, device manufacturers can take steps to fix BadPower issues in their sold products.
For example, they can help users update the firmware in their charging devices through service outlets, or they can provide fast-charging technology-enabled devices, such as mobile phones, over the Internet. Issue a safety update to upgrade the firmware in the charging device.
In the design and manufacture of future fast-charging products.
1. Perform strict legality checks for updating firmware via the USB port, or do not provide this functionality.
2. Perform rigorous security checks on device firmware code to prevent common software vulnerabilities.
Users: ordinary users can also take some measures to mitigate the threat of BadPower. For example, don't easily give your charger or rechargeable battery to others to use.
It is also recommended that you do not use Type-C to other USB cables to allow fast-charging devices to power powered devices that do not support fast-charging.
The reason is that the overload protection of charged devices that support fast-charging technology is usually better than that of charge devices that do not support fast-charging technology.
In the event of a power overload, a device with better overload protection may result in a lesser or even unaffected outcome.
Q3: Please explain how you attack these fast-charging devices and whether this attack can be applied to other devices as well. The scene?
A: A malicious attacker can use a special device (physical attack) or a compromised digital terminal to rewrite the firmware of a fast-charging device to take control of the Charging behavior.
Q4: Did you actually achieve physical attack results on smartphones in this study?
A: The smartphone can be both the medium to launch a BadPower attack and the BadPower power Victim of an overload attack. Both of which we tested successfully.
However, due to the high cost of testing with a smartphone as a victim, we managed to burn the phone out in the first test There has been no further testing of other phones since then.
Q5: What are the paths through which security threats can be initiated for this security issue? Can the attack be conducted directly over the network?
A: In our research, we experimented with multiple attack paths. The most direct one is to connect a special attack device directly to the charging adapter.
We also further implemented an attack through a smart terminal. The smart terminal can be controlled by traditional network intrusion methods.
Q6: What is the most serious consequence that this security problem can cause in principle?
A: In the video showing our research results, you can see the effect of the attack on a USB-powered device. You can see that the chip inside the device is burned out.
The consequences vary for different attack targets and attack scenarios.
Specifically related to the overload voltage and current, as well as the circuit layout of the device, component selection, and even the casing material and internal structure of the device. All are related.
In most cases, power overload causes irreversible physical damage to the associated chips within the receiving equipment by causing them to breakdown and burn out.
Since the damage to the chip from a power overload cannot be controlled or predicted. So the damage to the chip may also lead to other secondary consequences.
In our tests, we have observed that after a device has been attacked, the breakdown chip is connected between the positive and negative pins of the built-in lithium battery. The resistance has gone from infinity to tens of ohms.
Q7: Did Tencent Security collaborate with fast-charging product manufacturers during this study of security issues? What is the specific form of cooperation?
A: Yes, the main fast-charging product manufacturers that we work with include Xiaomi and Anker.
They are close partners of Xuanwu Lab and contributed to this research work on future fast chargers on the market Xuanwu security testing will also be included in the product.
Q8: There is a perception that "chips and firmware are just harder software to fix", which describes the whole hardware development security gap. of the status quo, do you agree with this assessment? From your research, what level is the fast-charging chip industry at in terms of security construction?
A: The chip and firmware issues can be really more difficult to resolve. There are two very typical examples.
One is the "residual reuse" problem with off-screen fingerprints that we discovered in late 2017, and that's also at the chip firmware level.
But because we identified the problem when the industry was just starting to use the technology and helped the mobile phone industry solve the problem at the source, we were able to deal with it. The more complete.
So whatever brand of phone you guys buy now, if it has an off-screen fingerprint feature, it has our contribution in it.
The BadBarcode issue we discovered in 2015 was also present in the device firmware. But because the issue had been in the industry for a decade or two when we discovered it, it was a little trickier to deal with.
We have, however, continued to work on this for the past five years, helping the domestic scanner industry detect and fix the problem, ensuring that new production The device is safe.
Based on the experience of having the above two cases, we always call for safety upfront, and consider safety in the design phase.
As for the BadPower issue, Xuanwu Lab actually analyzed 35 fast-charging devices in their research. at least 18 of them were found to have BadPower issues.
The 18 devices in question involved eight brands and nine different models of fast-charging chips. Eleven of them can be attacked from a digital device that supports fast charging.
Meanwhile, Xuanwu Lab researched the entire market for fast-charging chips and found that nearly 60 percent of them have a finished product. The ability to update the firmware.
So this is obviously an issue that needs to be taken seriously as well.
Q9: Is this security issue based on a problem that has been around for a long time, and if so, why has this issue gone unnoticed for so long?
A: Fast-charging technology is a relatively young technology, and has only emerged in the last few years. The root cause of this safety problem is that the industry hasn't realized the importance of safety upfront and hasn't made it part of the design process. The security risks introduced by the supply chain are not yet fully understood.
At the same time, it is true that there are not particularly many research teams in the security industry that have been focusing on design-based security issues like our lab.
Q10: The main target of this attack is the protocol chip in fast-charging, and there have been a lot of security problems with chips exposed in recent years. Briefly tell us your opinion?
A: A fast-charging protocol chip is a typical edge chip. However, as the overall electrification and digitization of society continue to accelerate, such chips are present in many applications. In the past, there has been a lack of attention to these types of security threats. Without our research this time, the public may not have even thought that even chargers and rechargeables could be hacked.
In the future digital world, similar chips may become new paths and targets for cyber attacks, so they need to be considered as early as possible. Related Security Question.
Q11: Is there anything special about this BadPower attack approach compared to regular vulnerability mining?
A: BadPower may be the first security in the world that can attack the physical world from the digital world and have such a large reach.