Not my video. Malware for fast chargers.

Install Google translate for FireFox, highlight your link, right click and select "Translate selection with Google translate". Other browsers su as Chrome, should have the same capability with add-ons. Just in case it can be of help to you or others.

MarkM

It's an excuse not to let your colleagues borrow your USB charger too. Although I'm tempted to suggest creating one of these to loan to such people so they learn not to ask to borrow them. I'm a horrible person sometimes.

Link to the Chinese article (they don't have it in English yet, but G~Translate did a very decent job translating it into English): https://xlab.tencent.com/cn/2020/07/16/badpower/

Hagen

It's probably to allow for fixing firmware errors or adapting to new charging communication protocols.

Big Clive

Is there any practical reason for a charger to be built to allow software update via the usb port? Im just not seeing how there could be any good reason for this.

This was always going to be a risk with software-defined charging, either due to a bad actor deploying a hack like this or a badly designed charger doing this without a hack (I'm sure I saw a demo of a charger doing exactly that - thought it was on EEVBlog but can't find it now). What isn't immediately obvious in this case is what was done to the phone to make it deploy the payload - e.g. did it need to be rooted? The general rule still applies - never plug a device into a power source of unknown quality or origin - wWhether that's due to this issue, USB Killers, devices containing hidden USB exploit chips, or just poor quality chargers with inadequate isolation. Installing apps from unknown origin is a bad idea too.

Mark Gray

I'd guess they just explored a technical weakness. It's useful to consider all possibilities. At some point there's going to be rogue firmware or hardware with bugs that result in high voltage being presented, so designing stuff with that possibility in mind (a PTC fuse and transorb?) is probably a good idea. That's what some UK companies did with the DMX inputs on their equipment to avoid damage.

Big Clive

Thanks for the info Clive. I see that major anti-virus/anti-malware companies have remedies for this.

Rocco Rizzo

Is this something Tencent are investigating, or creating?

Mike Page

Here's the datasheet for the FUSB302 chip that translates I2C to the PD signals. It has several good figures. https://www.onsemi.com/pub/Collateral/FUSB302-D.PDF

Jeremy Impson

The USB PD protocol is apparently very complex, and it looks like vendors are resistant to create custom ICs for jt. Instead they are relying on an upgradable microprocessor to do the negotiations, with a PD-specific translator chip that converts commands frm the MCU to the correct CPD signals.

Jeremy Impson

GreatScott did a pair of videos showing how USB PD works from the perspectives of the power source and the power load. The off the shelf chips for doing PD that he found only handle the conversion of higher level bus protocols (i2c, i think) to the right voltage level signals required by the PD spec. They required a host processor and a fair amount of code to completely implement the entire PD protocol. Not sure if every implementation will follow suit, or if any vendors will implement an all-ASIC version that would be immune to reprogramming (unlikely given modern trends). Its a lot different of an approach than the added resistors that Apple used to indicate higher currents.

Jeremy Impson

Thank you for the in-depth info & explanation!

You can do this with a USB Power Delivery-compatible power bank and a USB PD trigger. I use one to provide 15volts to my portable soldering iron. GreatScott did a video on the trigger board, and what it would take to make your own implementation.

Jeremy Impson

Great now we’ll need a couple more devices to make sure our phone or charger are not asking for to much power. Maybe we can get Julian our great Scott to design something.

Jim

It should be noted that this won’t affect most high value USB C PD devices like laptops and smartphones hence why they use a cheap rechargeable light. The USB PD specification does realize the possibility for both maliciously rouge upstream devices as well as faulty upstream devices. More expensive devices with PD management ICs will have a high side P channel MOSFET, if the voltage goes outside of the requested voltage window for any reason the management IC will cut-off the downstream device from Vbus, those management ICs typically can protect the product even if Vbus goes outside the USB spec to ~30V. This is only an issue on devices that have cheaper PD management IC with no high side MOSFET or devices that use the controllerless 5V mode set by resistors (as pictured in the video). With that said it looks like this product will accept any random unsigned software update through the USB port which is never a great idea…

WizardTim

I wouldn’t assume that will save you (though in practice it probably will) as the really scary thing here is the apparent ease of using a phone to deliver the payload over USB. Imagine downloading an innocent-looking app which also happens to watch for connection to a susceptible charger and delivers the updated code when it sees one. Presumably the phone manufacturers don’t make that attack vector trivial, but how hard really is it?

Dermot Conner

For many it's more of a challenge. It's better to discover weaknesses like this.

Big Clive

I wil never understan why. It seems so pointless. Who the hell are we living with, human nature, sheesh, what a bummer. :(

wow that would be great for power to my TS100 soldering iron!

Aaron Nadler

Well. That's why proprietary chargers are locked down. It's nice to have firmware options but this is an argument against them if I ever saw one. Shame people just can't quit fucking with other people. It's just human nature apparently.

My guess is that most, if not all , that are susceptible to this ,use the same charging chip, you know the ones with all the info scrubbed off.

Cleveland Prescott

I wonder will BigClive do own video of USB PD https://www.ebay.com/itm/PDC004-PD-decoy-PD23-0-to-DC-DC-trigger-QC4-charge-notebook-9-12-15-20V/133385272919?hash=item1f0e61be57:g:G-kAAOSwEIBekxGh

Ossi K

That means we need to beware of open box / used fast chargers such as Amazon warehouse deals. For example, Amazon could test returned fast chargers, they appear to operate fine, but could be maliciously programmed to deliver 20V a few hours later, which could cause a fire when it's more likely to be unattended such as overnight charging.

Seán Byrne

I guess it had to happen!

Dr Andy Hill

in order to be compatible with devices that do not support fast charging, the charger that uses fast changing technology, The USV standard voltage it output by default. Only support with fast charging after the device is negotiated, the higher voltage will be output. The bad power attack allows the charger to output up to 20V, this will burn out most electrical equipment. There are hundreds of fast chargers on the market. Among the 35 models that have been studied, it was found that 18 models had these problems. 8 of which were different brands. Xuanwu Lab reported the problem to the relevant party on March 27 2020. The competent department and assisted the manufacturer to deal with it.

evilution

A crowbar over-voltage protection circuit with a hefty thyristor may be a better option. Some of the latest USB supplies could fry a 5W zener with ease.

Ouch !

Graham Eida

ìt would be interesting to do some testing to force the different power levels its something i would like to do to get 12 v out of a power bank when needed to run some electronics

Well...when travel opens up again, I think I'll be traveling with my non-fast-chargers until there's some data out there about which chargers are vulnerable and which ones are immune. Scary stuff.

Sean M

I'd love to now what the title cards say, could someone that is able to translate please provide them in another (any) language?

Ryan Coleman

Wow, that's fascinating and slightly scary. Don't trust other people's chargers and don't let other people plug things into your chargers. It would be really interesting to know which brands are affected by this.I think the only QC or PD voltage chargers I have are made by Apple or by Anker.

Jamie Whitehorn

Clive, the phone is the attack vector in this case. The demonstration said that malware code was installed to the phone and was deployed while charging, it told the charger to output 20V automatically after 10 seconds at 5V. They tested 35 chargers from 8 manufacturers, 18 of the 35 were susceptible to being reprogrammed. They are calling the vulnerability "BadPower".

Chris Parsons

This is probably a big thing. Hope kids are not going to play around for fun... That will be bad. It might be a good idea to start protect equipment using a zener diode. I have a bunch of 1N5339B 5 Watt 5.6 Volt zeners around to keep things within specifications. I will be creating a cable next week.

Frank

hmmm I wonder if a tencent company are about to launch a new brand of chargers that mitigate this ;-) A few things worry me about the demo. The first is the cut before the damage starts, the charger could have been hard wired to blow the lights. Why would anyone use a re-programmable microcontroller in a charger? I would have thought it would be a write once chip, worst case. I'd like to see someone reproduce the issue with a range of chargers, only news I can see just link to this video. Of course, very scary if true

Some more information on this, here: https://itsecurity.org/badpower-fast-chargers-can-be-modified-to-damage-mobile-devices/

Auctoris

I'm surprised and not surprised at the same time, probably would be wise for any of us with the ability to test any new chargers when we get them. I suppose these would be chargers with Quickcharge or similar systems that need to negotiate with the device to set the voltage, otherwise why would the phone be able to talk to the microprocessor?

Matt Tester

Thanks... what makes people so twatty....!

Thanks Clive. Interesting.

Auctoris

There goes the smoke!