Your phone’s power brick is typically a relatively innocuous piece of tech, but recently, researchers at a Chinese security firm discovered a way to hack a fast charge power adaptor so that when connected to a phone, the power brick can melt the phone or even start a fire.
In a study published by Xuanwu Labs (which is owned by Chinese tech giant Tencent), researchers detailed the BadPower hack which works by manipulating the firmware inside fast charge power adapters.
Normally, when a phone is connected to a power brick with support for fast charging, the phone and the power adaptor communicate with each other to determine the proper amount of electricity that can be sent to the phone without damaging the device — the more juice the power adaptor can send, the faster it can charge the phone.
However, by hacking the fast charging firmware built into a power adaptor, Xuanwu Labs demonstrated that bad actors could potentially manipulate the power brick into sending more electricity than a phone can handle, thereby overheating the phone, melting internal components, or as Xuanwu Labs discovered, setting the device on fire.
After confirming the results of the research, Xuanwu labs decided to test BadPower by loading it onto 35 different power bricks (out of 234 available models currently on sale) and discovered that 18 of those chargers (made by eight different vendors) were susceptible to the attack.
To make matters worse, if BadPower is used to hack a power brick, there would be no external signs or easy ways of detecting that the device had been tampered with. Fortunately, for now, it will require the bad actor to have physical access to the power adaptor. The researchers at Xuanwu claimed hacking a power adaptor was as simple as connecting it to a portable, custom-designed rig that can upload malicious code to the power brick in a just a few seconds. And in some cases, the researchers were able to upload BadPower just by connecting a power adaptor to an infected phone or laptop.
The small upside to BadPower is that the hack can be shutdown by updating a power brick’s firmware. Unfortunately, after analysing 34 different chips used in fast charge adapters, Xuanwu researchers found that 18 of the chips didn’t have support for updatable firmware, meaning for some bricks there would be no way to protect against BadPower.
Xuanwu Labs has reached out to the vendors who made vulnerable power adapters with advice on how to protect against BadPower hacks in the future, which includes improving firmware security and including additional charging precautions to prevent a phone from overheating.
While BadPower or similar hacks don’t seem to have been used in the wild just yet, for those worried about people messing with their power bricks, BadPower serves as a good reminder that physical security remains the first line of defence when it comes to protecting your tech. Because if a hacker can’t get to your power brick, they won’t be able to upload the malicious code needed to make your power adaptor go haywire.