Google caps punch-yourself-in-the-face malicious charger hack Google has capped a dangerous but somewhat obscure boot mode vulnerability that allowed infected PCs and chargers to put top end Nexus phones into denial of service states. IBM reported the flaw (CVE-2016-8467) which allows infected computers and malicious power chargers to compromise Nexus 6 and 6p phones. Google badged the …
Modern USB chargers allow the device to request more power than standard, which means they need more smarts than just a dumb charger.
I suspect that not many chargers will actually be vulnerable to malicious fiddling, but it's easy enough to build a whole computer into a power brick now, so just because your charger looks normal, it could still have been replaced by a malicious one.
I suppose that means that any of those portable charger blocks being sold on Amazon, eBay and given away as freebies at events could easily be pre-loaded with said malicious code by the factory in China. Only a matter of time before an MP or high level exec plugs on into their phone and let the espionage begin...
These are installed in coffee shops and the like.
http://images.mobilefun.co.uk/graphics/productmisc/46624/enCharge_Uk-Power-Socket_USB_Wall-Plater_Steel-White_46624_--(1).jpg
Fit a little computer in the wall behind it and you can pwn the people who plug into it. So "infected" charger isn't really the right term. More a malicious charger.
Most chargers aren't just a collection of resistors, capacitors and transformers anymore. They need some "intelligence" at least to negotiate how much power to transfer, as most devices can take a higher current than the 500mA sent by default over USB. Some may also use this intelligence to monitor how the phone battery is charging, and adjust their current accordingly (say reducing the current when the phone is nearly charged).
That said, even if they weren't intelligent, given a full USB data cable (as is likely, it's cheaper to provide USB data cables than go and manufacture USB power cables, as well as a lot of people just use the first USB cable they see for charging), if the phone trusts the device on the other end by default, all it actually knows is a device is on the other end sending it data. It doesn't know that device is not actually the user's computer. You can argue that Plug and Play standards will enable it to detect what device is plugged in, and you'd be wrong. Plug and Play enable the phone to detect what the device reports it is. Anyone with the ability to write a virus that installs itself in this way has the ability to program the device to respond with a fake code for ID purposes.
Be interesting to see if iOS is still vulnerable to this sort of thing, as Apple did introduce code that generates a signature for devices plugged in via USB, then prompts the user if it detects a device with an unknown signature being plugged in.
"They need some "intelligence" at least to negotiate how much power to transfer, "
No they don't, but apparently they do for super charging or some shit (but I assume that is just a propietary term used to break USB spec and sell more adapters). Anyhow, I've wired together a very crude 5v transformer that can adequately charge up to 4a devices (i hope at least, new to this). It has charged about 10 different models just fine over the last 2 months (haven't seen past a 2600ma draw though). Trust me, my charger isn't smart...at all (in fact it's very dumb, even dumb looking :-j)
MBD mentioned "I've wired together a very crude 5v transformer..."
I'm sure you've done it correctly, but the wording is a bit off.
A transformer, by itself, provides AC. So it would need to be followed by other components (unmentioned) to change the AC to DC, and regulate the voltage down to +5v DC.
This is mentioned to ensure that others do not misunderstand what you meant.
Most chargers aren't just a collection of resistors, capacitors and transformers anymore. They need some "intelligence" at least to negotiate how much power to transfer, as most devices can take a higher current than the 500mA sent by default over USB. Some may also use this intelligence to monitor how the phone battery is charging, and adjust their current accordingly (say reducing the current when the phone is nearly charged).
I have 2 car/bike battery chargers. One can deliver up to 5 amps, the other I think up to 20A. The 20A one delivers what the battery needs at the time. If it's a completely flat battery this thing delivers pulses at the higher rate until the voltage in the battery starts to rise, then as the battery gets closer to full charge the current supplied by the charger is reduced.
The charger consists of 1) a mains transformer, 2) a rectifier, 3) a current display (simple gauge) to show what the battery is drawing and 4) a cut-out that as it heats up (from over current draw) it cuts out till it cools down, hence limiting the output current to 20A. It's also quite old, early 80's or late 70's
While I've not opened the much more modern 5A charger, it's probably much the same except it's also a "maintenance charger" in that it's designed for vehicles/batteries that are not being used (eg motorbikes parked up over winter), in that when the battery reaches full charge it completely cuts off the power and only drops a little bit in every now and then to keep the power up rather than a constant draw.
This stuff is basic electronics and doesn't need anything fancy to do it.
Dell laptop chargers have a bit of extra circuits in them to tell the laptop what wattage the charger is, to protect Dell machines from you not spending enough $ on them/to protect Dell from you buying a perfectly OK charger that someone else sells. But even this does not need anything special that could be compromised. Is simple to make both ends protected, on the laptop don't let the circuitry that talks to the charger do any more than pass a "yes charger is OK" or "no charger from 3rd party EVIL EVIL EVIL" (or "charger wrong wattage") to the laptop - you could do it with 2 bits, a few more if you want it to specify it's wattage. It takes nothing more than that.
So basic I can't believe the stupid involved in this!
Malicious iPhone chargers have been widespread for years.
2013: http://www.ibtimes.co.uk/iphone-hacked-60-seconds-malicious-charger-mactans-496078
The only difference here, the iPhone hack worked whilst the phone was up and running. The Android fix mentioned here, was only during a certain boot phase, and not really an issue unless you rebooted the phone whilst connected to a malicious charger.
The Android fix mentioned here, was only during a certain boot phase, and not really an issue unless you rebooted the phone whilst connected to a malicious charger.
Not really a rare occurrence. Given the pitiful battery life of smartphones, odds are quite good that your phone will die while you're out needing a charge. And many people cannot bear to be aware from it for very long so they will turn it on seconds after connecting it to the charger.
I doubt that'll work with Qualcomm Quick Charge, or other implementations of fast charging as it won't allow any negotiation with regards to power requirements which utilise the data pins.
I'll be damned if I'm charging at 500mA.... I'd die of old age before recharging my phone!
"I'll be damned if I'm charging at 500mA.... I'd die of old age before recharging my phone!"
That's only an issue if you wait till you desperately need a charge and don't have time for a standard 500mA charge rate. If that happens to you, maybe try to get in the habit of grabbing a bit of charge whenever it's available and convenient (with a charge-only cable or course)
Adam wrote "I'll be damned if I'm charging at 500mA.... I'd die of old age before recharging my phone!"
Eight hours sleep times 500mA equals 4000mA-hour. Neglecting any 5/4.2 volt improvement from DC-DC converts, but also neglecting any inefficiencies.
Is there electricity where you live? Where you sleep?
4000 mA-hour is a fairly large capacity battery by phone standards. If your phone has that big a battery, then it shouldn't be 0% dead every single night at bedtime.
malicious power chargers
No! NO NO NO NO NO NO NO NO NO!
There are all sorts of reliable, proven, and simple ways for chargers to deliver more power when needed and reduce the power later.
Hell, car battery chargers and the like have been doing it for what, 50 years? 80? Technology so old and stable we use it in our daily lives and never give it another thought.
No need for anything in the charger that can allow it to be infected.
This is just stupid on so many levels. Beyond stupid. Who the hell thinks "Oh hey, let's take basic electronics that don't need to be fancy and turn them into something complex that can carry malware"?
"There are all sorts of reliable, proven, and simple ways for chargers to deliver more power when needed and reduce the power later."
Yes, and I agree with your sentiments but the problem of BadUSB isn't really tied to the management of power delivery. In fact it's one of the few things we can legitimately blame the EU for[1]. The common external power supply (common EPS) standard specified a micro USB-B connector for charging a mobile phone. Hence anyone wanting to build a rogue device can be sure that the majority of users will use a data cable to charge their phone. Bingo, all you need to do is to build your charger with enough logic to attack the phone via the USB port. Users don't expect to open a charger and look at what's inside and most chargers are sealed anyway.
There is a way to easily defeat this which is to remove pins 2 and 3 on the USB A plug, provided that the charger doesn't legitimately expect some data from the phone.
[1] Please, no EU flame wars. I'm tired of them.
The vast majority of existing USB chargers are not smart in any real way.
Simple ones simply put 5V on the power lines and call it a day.
Ones that can deliver higher power often signal that ability with a few resistors on the data lines. There are mutually incompatible ways of doing this, with Apple ignoring the standard that did evolve. Which is why you often see differently labeled connectors on chargers and power banks.
Since many chargers indicate power capability on the data lines, there are few charge-only USB cables that omit the data lines. And with the majority of chargers being simple power sources, most people forget that the plain-looking charger has all of the access available when plugging their devices into a computer.
There are plenty of tiny microcontrollers with USB host support. Adding an also-tiny memory chip allows a massive library of potential attacks. Almost any USB attack you can do on a PC can be reworked to be used with such a microcontroller.
I've seen some pretty evil USB devices. One in particular was an advertising device that visually appeared to be a regular flash drive. Once inserted it pretended to be tiny drive with an autorun file. If the autorun file wasn't read, about a minute later it would transform into a USB keyboard and mouse, then "type" Windows commands to open a browser to their web page.
With an "enhanced" charger, the smart side has the luxury to wait until the device is likely unattended and then transform into whatever kind of USB device needed for an attack: a keyboard, mouse, debugging pod, secondary screen, network device, etc.
"AFAIK a phone comes with a charger. Is the problem someone trying to be cheap and one from an unsavory source?"
Most people have to buy a replacement charger at some time. You may also want one to use in your car or in your superyacht or helicopter. It doesn't have top be a mains charger. Any charger with a USB socket could contain an unexpected package.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
