You know your USB chargers? They seem innocent and straightforward enough, right? Think again.
According to the Chinese tech giant Tencent, its researchers have discovered a new severe vulnerability to businesses and individuals: USB fast chargers.
This is what happens (in a nutshell): when a device connects to a USB cable to charge, there is an exchange between the two that establishes the maximum power charge that the device can safely handle. Assuming both sides will interact positively, the exchange happens between the firmware on the device (think your iPhone) and firmware inside the USB charger.
Hackers are manipulating this exchange in a very simple way. By pushing more power to the device than it can handle, the exchange can damage or destroy it and sometimes set it on fire from the overabundance of pushed power.
To perform this hack, hackers load malware (via an exploit called “BadPower”) onto a smartphone and connect it to a USB charger. From this exchange, the next device that the charger attaches to becomes subject to the modification from the original device. All in all, a straightforward attack.
According to Tencent, devices such as smartphones, tablets, and laptops are most vulnerable because they support the fast charging protocol required for this hack.
How prevalent is the problem?
Researchers at Tencent have found 234 fast chargers on the market and been able to test 18 of them–finding that 11 of the 18 had open vulnerability to support a malware attack.
Should you be concerned?
Kind of. That is to say, if you purchase chargers from secure sources (i.e., known manufacturers), you don’t have much to worry about. Suppose you buy off-brand chargers online from unknown sources. In that case, you should be concerned only for your fast-charging devices (smartphones, tablets, laptops). You should also be aware that you should not plug basic 5V devices into fast chargers with a USB to USB-C cable if you want to exercise necessary precautions.
It’s also important to consider how an attack on your devices might affect you. If you’re taken offline, or experience compromised devices, will this affect your business or just you personally? Do you have sensitive information on your devices? These are all things to take into consideration when choosing to follow recommended precautions around USB chargers.
Our Take On It
From what we’ve read, this isn’t a wide-spread problem. However, you can immediately learn from it and do the following:
1. Be picky about what charges your phone.
Stick to quality chargers from known brands vs. lowest bidder Chinese knock-offs. For example, the charger that comes with your phone is ideal. Be aware that Amazon has a problem with counterfeiting, and you could end up with a knock off charger even if you purchased an authentic charger “sold by” the manufacturer of your phone. Either read the Amazon reviews (sort by new) and determine if there are recent negative reviews due to counterfeits or source your charger from a less counterfeit-prone source. Alternatives: Bestbuy and B&H Photo Video. It’s really anyone who claims to stock the product themselves, and not sourced by a third party.
2. Don’t use general charging stations or share chargers with people.
You don’t know if the charging station or your friends have high standards for phone chargers. You also don’t know if they, or anyone that they’ve shared their charges with, have ever downloaded garbage apps that could contain this fast-charge exploit that infects every fast-charger they touch.
3. Avoid fast-charging technology for now.
It is known that the current iteration of USB fast-charging causes cell phone batteries to fail prematurely. Unless your phone came with an increased charging speed charger from the factory, skip this technology for now.
Thanks for reading, please reach out to PK Tech if you have any questions.
