Author Topic: Hackers Can Now Trick USB Chargers To Destroy Your Devices  (Read 7531 times)

0 Members and 1 Guest are viewing this topic.

Offline splinTopic starter

  • Frequent Contributor
  • **
  • Posts: 999
  • Country: gb
Hackers Can Now Trick USB Chargers To Destroy Your Devices
« on: July 21, 2020, 03:15:50 pm »
https://www.forbes.com/sites/zakdoffman/2020/07/20/hackers-can-now-trick-usb-chargers-to-destroy-your-devicesthis-is-how-it-works/#4f7548bd5bf2

Quote
The interesting twist here is that the malware might even be on the target device. An attacker pushes that malicious code to your phone. The first time you connect to a vulnerable fast charger, the phone overwrites its firmware. The next time you connect to that same charger to repower your device, your phone will be overloaded.

Tencent has produced a demo video, showing how a charger can be compromised and then used to overload a device.

Tencent have dubbed this issue “BadPower,” and warn that “all products with BadPower problems can be attacked by special hardware, and a considerable number of them can also be attacked by ordinary terminals such as mobile phones, tablets, and laptops that support the fast charging protocol.”

Quote
The researchers identified 234 fast chargers on the market, and tested 35 of them. Of those, they found “at least 18 had BadPower problems and involved eight brands.” Of those 18 charging devices, 11 were vulnerable to a simple attack through a device that also supports the fast charging protocol, such as a mobile phone.

Just like coronavirus this was clearly "totally unprecedented" and thus you can't blame anyone for not foreseeing the possibility during the USB fast charge specification design process (in the same way governments couldn't have been expected to have made any worthwhile preperations for the possibility of a pandemic).  :palm:

It will be interesting to see how the USB consortium react to this. One way is to have an approval system for fast chargers requiring the use of fully certified ICs with exclusive control of the USB charge process which cannot be overriden by an external controller - rather like the implementation of HDMI preventing access to the unencrypted datastream. Conformant products would then be allowed to sport the new 'GoodPower' logo.  :-DD

It will be interesting to see if any high profile manufacturers/brands prove to be vulnerable.

Unfortunately I guess there won't be any easy way to identify vulnerable chargers. Probably best to avoid fast chargers altogether unless you know your device is robust. Hopefully this may be just another in a long list of vulnerabilities that in reality is a low probility risk.

[EDIT] Now there needs to be an urgent investigation to find out which devices are vulnerable and need to put them into 'shielded protection measures' to ensure proper social isolation from 'BadPower' chargers. Daily prime time news announcements/government presentations will be needed to publicise the ever present danger.
« Last Edit: July 21, 2020, 03:29:24 pm by splin »
 

Offline davep238

  • Contributor
  • Posts: 36
  • Country: us
Re: Hackers Can Now Trick USB Chargers To Destroy Your Devices
« Reply #1 on: July 21, 2020, 03:45:56 pm »
Are you trying to say that if I have a phone that needs 500mA to charge and it's connected to a 2 A charger, that the charger will somehow "force" 2A into the phone? Unless the charger raises its output voltage, how does the charger "force" more current into the device?   :wtf:
 

Offline Mr Evil

  • Regular Contributor
  • *
  • Posts: 76
  • Country: gb
    • mrevil.asvachin.com
Re: Hackers Can Now Trick USB Chargers To Destroy Your Devices
« Reply #2 on: July 21, 2020, 04:42:13 pm »
Just like coronavirus this was clearly "totally unprecedented" and thus you can't blame anyone for not foreseeing the possibility during the USB fast charge specification design process (in the same way governments couldn't have been expected to have made any worthwhile preperations for the possibility of a pandemic).  :palm:
This sounds like it's the fault of the manufacturers, not the spec. Or does the spec demand that chargers have upgradeable firmware, and accept unsigned images?
 
The following users thanked this post: hans, Cyberdragon, davep238

Offline edy

  • Super Contributor
  • ***
  • Posts: 2387
  • Country: ca
    • DevHackMod Channel
Re: Hackers Can Now Trick USB Chargers To Destroy Your Devices
« Reply #3 on: July 21, 2020, 04:52:20 pm »
To mitigate the problem for now at least... don't use a fast charger. Use a "dumb" charger that simply outputs 5V and can't change it's output voltage. But who couldn't see this coming? Why expose firmware to be capable of being reprogrammed? Why wasn't this "negotiation" set up in a secure way, so that malicious software couldn't access this low-level hardware function?
YouTube: www.devhackmod.com LBRY: https://lbry.tv/@winegaming:b Bandcamp Music Link
"Ye cannae change the laws of physics, captain" - Scotty
 
The following users thanked this post: amyk, petert

Offline MrMobodies

  • Super Contributor
  • ***
  • Posts: 2028
  • Country: gb
Re: Hackers Can Now Trick USB Chargers To Destroy Your Devices
« Reply #4 on: July 21, 2020, 05:27:17 pm »
I thought the firmware could signal back to the charger to simply change the voltage but I never thought of firmware reprogrammable usb chargers.

I wonder whether the battery controllers on these phones and tablets can also be compromised to over charge the batteries.

So even most phones I have seen now are so locked down and unrooted to the user criminals have more rights to it however malware it gets on there maybe through some "app".


It looks like it can also start from the charging stations at a controller level and not malware installed on the phone itself:
https://www.forbes.com/sites/zakdoffman/2019/11/15/dont-let-public-usb-charging-stations-ruin-your-holiday-travels-officials-warn/#7b704718410c

Quote
The latest official advice on this longstanding debate comes from the Los Angeles County District Attorney’s Office, which has cautioned that “criminals load malware onto charging stations or cables they leave plugged in.” The “dangerous” malware, the officials say, “may infect the phones and other electronic devices of unsuspecting users.”
« Last Edit: July 21, 2020, 05:30:58 pm by MrMobodies »
 

Offline davep238

  • Contributor
  • Posts: 36
  • Country: us
Re: Hackers Can Now Trick USB Chargers To Destroy Your Devices
« Reply #5 on: July 21, 2020, 05:28:49 pm »
Are you trying to say that if I have a phone that needs 500mA to charge and it's connected to a 2 A charger, that the charger will somehow "force" 2A into the phone? Unless the charger raises its output voltage, how does the charger "force" more current into the device?   :wtf:

Modern phones and chargers are capable of charging at up to 9V, 12V or even 20V depending on make and model.

So hacking the PD/QC controller and let it output non-5V before protocol negotiation is possible.

Thanks for letting me know. I only have an old phone that does not do quick charging.
 
The following users thanked this post: Larryc001

Offline splinTopic starter

  • Frequent Contributor
  • **
  • Posts: 999
  • Country: gb
Re: Hackers Can Now Trick USB Chargers To Destroy Your Devices
« Reply #6 on: July 21, 2020, 05:30:56 pm »
Just like coronavirus this was clearly "totally unprecedented" and thus you can't blame anyone for not foreseeing the possibility during the USB fast charge specification design process (in the same way governments couldn't have been expected to have made any worthwhile preperations for the possibility of a pandemic).  :palm:
This sounds like it's the fault of the manufacturers, not the spec. Or does the spec demand that chargers have upgradeable firmware, and accept unsigned images?

I've not read the specs, but sure it's the fault of the manufacturers. However the USB Implementers Forum (who are in control of the standard) should have anticipated this possibility - after all, the image of the USB PD standard risks becoming severely tainted if this turns out to be a significant real-world problem.

It isn't an easy issue to deal with in the specifications; it's one thing proving a product conforms when operated as intended but how can you prove it continues to conform in the face of an almost infinite variety of possible malign external attacks, especially when in the firmware of the microcontroller in control of the charger?

That is why I suggested that chargers should only be approved where sufficient proof exists that the critical charging voltage negotiations between the charger and the device to be charged and the actual generation of the selected voltage to the interface could only be compromised by physical modification of the product. It would likely add considerable costs and would work to the advantage of the big players at the consumers expense.
« Last Edit: July 21, 2020, 05:32:33 pm by splin »
 

Offline SilverSolder

  • Super Contributor
  • ***
  • Posts: 6126
  • Country: 00
Re: Hackers Can Now Trick USB Chargers To Destroy Your Devices
« Reply #7 on: July 21, 2020, 06:01:07 pm »

It's a side effect of the general trend of over-complicating and making brittle even simple products that were robust and trustworthy in the past.



 
The following users thanked this post: amyk, Cyberdragon, petert, MrMobodies, Vovk_Z

Offline edy

  • Super Contributor
  • ***
  • Posts: 2387
  • Country: ca
    • DevHackMod Channel
Re: Hackers Can Now Trick USB Chargers To Destroy Your Devices
« Reply #8 on: July 21, 2020, 06:22:07 pm »
This reminds me of this scene from one of my favorite movies:



Hackers will find a way to send 40,000 V to your phone and blow it up!  :-DD
YouTube: www.devhackmod.com LBRY: https://lbry.tv/@winegaming:b Bandcamp Music Link
"Ye cannae change the laws of physics, captain" - Scotty
 

Offline SparkyFX

  • Frequent Contributor
  • **
  • Posts: 676
  • Country: de
Re: Hackers Can Now Trick USB Chargers To Destroy Your Devices
« Reply #9 on: July 22, 2020, 12:39:36 am »
This is tricky on several levels...
A QC-capable device might be able to handle the wrong output or detect a bad power source
A non-QC device might not reprogram the charger, but the one before this could have

In other words... only use a trusted charger.

OTOH i think the issue is somewhat overrated, because there is no value in the mindless destruction of devices or an imminent fire hazard, which limits motivation to do so. Such an act would have been possible with manipulated or faulty USB chargers before there were chargers with reprogrammable firmware.
Support your local planet.
 

Offline sleemanj

  • Super Contributor
  • ***
  • Posts: 3051
  • Country: nz
  • Professional tightwad.
    • The electronics hobby components I sell.
Re: Hackers Can Now Trick USB Chargers To Destroy Your Devices
« Reply #10 on: July 22, 2020, 12:47:57 am »
IMHO USB-C and all the quick charge stuff was made stupid complicated.  The developers threw software, negotiations, protocols, special chips, rewritable firmware... at a problem that amounts to connecting a wire to a voltage source.

K.I.S.S

~~~
EEVBlog Members - get yourself 10% discount off all my electronic components for sale just use the Buy Direct links and use Coupon Code "eevblog" during checkout.  Shipping from New Zealand, international orders welcome :-)
 
The following users thanked this post: amyk, Cyberdragon, SilverSolder, Solomon_3055

Offline Ed.Kloonk

  • Super Contributor
  • ***
  • Posts: 4000
  • Country: au
  • Cat video aficionado
Re: Hackers Can Now Trick USB Chargers To Destroy Your Devices
« Reply #11 on: July 22, 2020, 12:50:59 am »
IMHO USB-C and all the quick charge stuff was made stupid complicated.  The developers threw software, negotiations, protocols, special chips, rewritable firmware... at a problem that amounts to connecting a wire to a voltage source.

K.I.S.S

I remember first reading about them wanting to deviate from the 5v, 500mA standard. I thought, oh f***, here we go.

iratus parum formica
 

Offline SilverSolder

  • Super Contributor
  • ***
  • Posts: 6126
  • Country: 00
Re: Hackers Can Now Trick USB Chargers To Destroy Your Devices
« Reply #12 on: July 22, 2020, 01:31:49 am »
IMHO USB-C and all the quick charge stuff was made stupid complicated.  The developers threw software, negotiations, protocols, special chips, rewritable firmware... at a problem that amounts to connecting a wire to a voltage source.

K.I.S.S

Exactly... and any experienced engineer could have told them that the end result could only ever be less reliable than connecting a wire to a voltage source!
 

Offline Halcyon

  • Global Moderator
  • *****
  • Posts: 6120
  • Country: au
Re: Hackers Can Now Trick USB Chargers To Destroy Your Devices
« Reply #13 on: July 22, 2020, 02:43:20 am »
Most decent phones will handle extreme over-voltages up the USB port anyway.

 

Offline Halcyon

  • Global Moderator
  • *****
  • Posts: 6120
  • Country: au
Re: Hackers Can Now Trick USB Chargers To Destroy Your Devices
« Reply #14 on: July 22, 2020, 06:27:18 am »
Most decent phones will handle extreme over-voltages up the USB port anyway.

Those phones handle an instant over voltage by absorbing it. There is a maximum energy limit and a maximum average power limit.

This PD/QC hack dumps continuous, current unlimited 20V to the phone, and no ESD diodes can take that.

I'd hardly call the voltages pumped into the Samsung Galaxy Note series as "instant". It was fairly continuous and the phone didn't even lock up or reboot. And we're talking about 215 volts, not 20.
« Last Edit: July 22, 2020, 06:29:33 am by Halcyon »
 

Offline Halcyon

  • Global Moderator
  • *****
  • Posts: 6120
  • Country: au
Re: Hackers Can Now Trick USB Chargers To Destroy Your Devices
« Reply #15 on: July 22, 2020, 06:35:32 am »
I'd hardly call the voltages pumped into the Samsung Galaxy Note series as "instant". It was fairly continuous and the phone didn't even lock up or reboot. And we're talking about 215 volts, not 20.

USB killer is pulsed internally. It has a charger circuit from VBus, a capacitor, and a discharging circuit dumping charged voltage to D+/D- lines.

Even worse. Why would manufacturers bother only protecting the data lines and not bothering with the power as well? Phones routinely get charged off all kinds of shitty power supplies, everything from your crappiest Chinese adapters that are mains referenced, to noisy vehicle power adapters.
 

Online tom66

  • Super Contributor
  • ***
  • Posts: 7334
  • Country: gb
  • Electronics Hobbyist & FPGA/Embedded Systems EE
Re: Hackers Can Now Trick USB Chargers To Destroy Your Devices
« Reply #16 on: July 22, 2020, 08:05:23 am »
Those phones handle an instant over voltage by absorbing it. There is a maximum energy limit and a maximum average power limit.

This PD/QC hack dumps continuous, current unlimited 20V to the phone, and no ESD diodes can take that.

No, but most modern phones have something along these lines:
https://www.maximintegrated.com/en/products/power/protection-control/protection-ics/MAX4987AE.html

This is the device that was fitted to my Samsung S4, and it provides OVP up to 28V even though the phone only supported 5V.

ESD diodes can keep the device within its momentary OVP limits as well.
 

Offline Halcyon

  • Global Moderator
  • *****
  • Posts: 6120
  • Country: au
Re: Hackers Can Now Trick USB Chargers To Destroy Your Devices
« Reply #17 on: July 22, 2020, 08:24:23 am »
Even worse. Why would manufacturers bother only protecting the data lines and not bothering with the power as well?

You are not an EE at all, are you.

Nope, but I know the stupid shit that consumers do and what manufacturers are up against. You pay a premium for decent hardware for a reason (other than the badge).

Phones routinely get charged off all kinds of shitty power supplies, everything from your crappiest Chinese adapters that are mains referenced, to noisy vehicle power adapters.

I've yet to see a phone charger that is mains referenced. Metal phone chassis is almost always connected to DC- for RF performance reasons, using a mains referenced charger means reliable instant kill.

Noisy does not mean high voltage. 5V with 500mV noise is considered f*ing noisy, but 5.5V is not dangerous to electronics. A steady 10V can easily fry a phone regardless how clean it is.

Watch Big Clive, he does several videos on "death-dapters".
« Last Edit: July 22, 2020, 08:26:16 am by Halcyon »
 

Online tom66

  • Super Contributor
  • ***
  • Posts: 7334
  • Country: gb
  • Electronics Hobbyist & FPGA/Embedded Systems EE
Re: Hackers Can Now Trick USB Chargers To Destroy Your Devices
« Reply #18 on: July 22, 2020, 08:25:16 am »
Just to put into perspective, people are desperate enough not to put DC/DC charger on board to save heat generation. Instead, they use a capacitive voltage halver and current doubler and rely on the external charger to define charging current and voltage.

When it comes to leading edge consumer electronics playing the war of number, things get totally crazy very quickly.

Do you have a link to this technology?  I'm quite interested to understand this.  Surely the phone must still support 5V USB charging to be compatible with existing kit, but the high power path is also available with compatible chargers.
 

Offline Halcyon

  • Global Moderator
  • *****
  • Posts: 6120
  • Country: au
Re: Hackers Can Now Trick USB Chargers To Destroy Your Devices
« Reply #19 on: July 22, 2020, 08:44:56 am »
Watch Big Clive, he does several videos on "death-dapters".

He had featured a few mains referenced devices, none were intended to charge a phone.

From memory he did one on a camping light with a "5 volt" USB output which can be used for any consumer devices. He also did one on some coloured Poundland chargers which he ended up blowing up (on purpose).

The point is, dodgy USB adapters exist in the consumer market. I don't recall a single brand-name phone blowing up or having their port destroyed because of it. Many are designed (within reason) to cop what owners throw at them.
« Last Edit: July 22, 2020, 08:47:06 am by Halcyon »
 

Offline bitwelder

  • Frequent Contributor
  • **
  • Posts: 979
  • Country: fi
Re: Hackers Can Now Trick USB Chargers To Destroy Your Devices
« Reply #20 on: July 22, 2020, 08:58:56 am »
https://www.oppo.com/en/newsroom/press/oppo-launches-125w-flash-charge-65w-airvooc-wireless-flash-charge-and-50w-mini-supervooc-charger/


"With an advanced encryption algorithm and strict temperature control regulators, it enables the safe and efficient use of the flash charging device."
Whaaat? Is the encryption algo part of some proprietary power negotiation protocol, or where else does came into play? 
 

Offline Berni

  • Super Contributor
  • ***
  • Posts: 5050
  • Country: si
Re: Hackers Can Now Trick USB Chargers To Destroy Your Devices
« Reply #21 on: July 22, 2020, 09:49:50 am »
From memory he did one on a camping light with a "5 volt" USB output which can be used for any consumer devices. He also did one on some coloured Poundland chargers which he ended up blowing up (on purpose).

The point is, dodgy USB adapters exist in the consumer market. I don't recall a single brand-name phone blowing up or having their port destroyed because of it. Many are designed (within reason) to cop what owners throw at them.

So you expect the phone to have an isolated DC/DC converter inside of it to remain floating even when a crappy chinese mains referenced charger is plugged in? Have you seen the size of isolated switching converters for these kind of powers?

Phones are built down to a price AND formfactor. They have to keep the costs down in the mainstream phones to be competitive in the fierce phone market. Also any high power protection devices require extra board space. With the trend of phones pushing to be ever thinner this space is very limited.

Any decently made phone will survive a lot of static zaps to its USB port, It will survive being charged from a USB charger that is not isolated from mains (But the phones owner might not survive that). But it is not reasonable to expect a phone to survive continuous reverse polarity or 24V on the USB port. Yes it is possible to do it, but might not be worth it. It is the users own fault for using a shitty charger, just like it is the users fault if you put diesel in your gasoline car and complain to the manufacturer when it doesn't run.

But the fact that this hack is possible is indeed horrible design that should have never happened. How fucking difficult is it to get about 2 bits worth of information across a wire reliably.
 
The following users thanked this post: amyk, SilverSolder

Offline Syntax Error

  • Frequent Contributor
  • **
  • Posts: 584
  • Country: gb
Re: Hackers Can Now Trick USB Chargers To Destroy Your Devices
« Reply #22 on: July 22, 2020, 10:15:36 am »
 :-\ today's old news.

Such is the price for using those ubiquitous public USB chargers. The best counter measure is to use a DC only - or no data - USB lead. And one with a built in limiter circuit.

Today's student design challenge: design a USB charging protection device and lead that is 100% safe to connect to any random public charger point. Whether that USB charger point is on a plane, a bus or attached to a cycling machine in a train station, your design will handle over voltage, over current and, provide isolation from transients, floating earths, etc. Plus, it provides a nice user friendly status LED. Don't cut and paste a design off of Google, figure it out yourself just like your classmates will have to.

 

Online tom66

  • Super Contributor
  • ***
  • Posts: 7334
  • Country: gb
  • Electronics Hobbyist & FPGA/Embedded Systems EE
Re: Hackers Can Now Trick USB Chargers To Destroy Your Devices
« Reply #23 on: July 22, 2020, 10:17:21 am »
Today's student design challenge: design a USB charging protection device and lead that is 100% safe to connect to any random public charger point. Whether that USB charger point is on a plane, a bus or attached to a cycling machine in a train station, your design will handle over voltage, over current and, provide isolation from transients, floating earths, etc. Plus, it provides a nice user friendly status LED. Don't cut and paste a design off of Google, figure it out yourself just like your classmates will have to.

There's no such circuit. Say someone designed a USB charging point that was connected directly to 3ph 415V.  No protection circuit is going to protect against that unless it is self-sacrificing.  And then it would need to have a relay/contactor/MOSFET to isolate it and even that has a maximum breakdown rating.
 
There always comes a reasonable limit for which protection circuits are designed to handle.  28V protection on a 5V USB device makes sense because it protects against the worst case of a failed cigarette-lighter charger in a 24V vehicle.  Beyond that point failures are almost certainly intentional.
« Last Edit: July 22, 2020, 10:19:13 am by tom66 »
 

Offline Berni

  • Super Contributor
  • ***
  • Posts: 5050
  • Country: si
Re: Hackers Can Now Trick USB Chargers To Destroy Your Devices
« Reply #24 on: July 22, 2020, 10:32:14 am »
There's no such circuit. Say someone designed a USB charging point that was connected directly to 3ph 415V.  No protection circuit is going to protect against that unless it is self-sacrificing.  And then it would need to have a relay/contactor/MOSFET to isolate it and even that has a maximum breakdown rating.
 
There always comes a reasonable limit for which protection circuits are designed to handle.  28V protection on a 5V USB device makes sense because it protects against the worst case of a failed cigarette-lighter charger in a 24V vehicle.  Beyond that point failures are almost certainly intentional.

Well not to say it is impossible to make a protection circuit that will survive having 400V AC put into it. Its just that the circuit would become unpracticaly large and expensive. Heck you could make a device that survives being hooked up to a 20kV AC transmission line, but the power input connector for that alone would be larger than the phone itself.

At some point the device would become bigger than a USB power bank, at that point it makes more sense to just bring a power bank. It does the same job of keeping your phone protected by preventing you from needing to plug into a unknown source.

But yes id say you could make a protection device that can survive 220V mains put into it that is the size of a disposable cigarette lighter using off the shelf reasonably priced components (Would still take a fair bit of design work tho). Making it work with all of USB-PD would be tougher but probably still possible.

But getting this to fit into the phone itself... ho boy. Good luck with that
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf