{"id":50710,"date":"2024-02-28T07:15:56","date_gmt":"2024-02-28T12:15:56","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=50710"},"modified":"2024-02-28T07:15:56","modified_gmt":"2024-02-28T12:15:56","slug":"voltschemer-attack-wireless-chargers","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/voltschemer-attack-wireless-chargers\/50710\/","title":{"rendered":"Attacks on wireless chargers: how to “fry” a smartphone"},"content":{"rendered":"

A group of researchers from the University of Florida has published a study<\/a> on a type of attack using Qi wireless chargers, which they\u2019ve dubbed VoltSchemer. In the study, they describe in detail how these attacks work, what makes them possible, and what results they\u2019ve achieved.<\/p>\n

In this post, first we\u2019ll discuss the researchers\u2019 main findings. Then we\u2019ll explore what it all means practically speaking \u2014 and whether you should be concerned about someone roasting your smartphone through a wireless charger.<\/p>\n

The main idea behind the VoltSchemer attacks<\/h2>\n

The Qi standard<\/a> has become the dominant one in its field: it\u2019s supported by all the latest wireless chargers and smartphones capable of wireless charging. VoltSchemer attacks exploit two fundamental features of the Qi standard.<\/p>\n

The first is the way the smartphone and wireless charger exchange information to coordinate the battery charging process: the Qi standard has a communication protocol that uses the only \u201cthing\u201d connecting the charger and the smartphone \u2014 a magnetic field \u2014 to transmit messages.<\/p>\n

The second feature is the way that wireless chargers are intended for anyone to freely use. That is, any smartphone can be placed on any wireless charger without any kind of prior pairing, and the battery will start charging immediately. Thus, the Qi communication protocol involves no encryption \u2014 all commands are transmitted in plain text.<\/p>\n

It is this lack of encryption that makes communication between charger and smartphone susceptible to man-in-the-middle attacks<\/a>; that is, said communication can be intercepted and tampered with. That, coupled with the first feature (use of the magnetic field), means such tampering \u00a0is not even that hard to accomplish: to send malicious commands, attackers only need to be able to manipulate the magnetic field to mimic Qi-standard signals.<\/p>\n

\"VoltSchemer<\/a>

To illustrate the attack, the researchers created a malicious power adapter: an overlay on a regular wall USB socket. Source<\/a><\/p><\/div>\n

And that\u2019s exactly what the researchers did: they built a \u201cmalicious\u201d power adapter disguised as a wall USB socket, which allowed them to create precisely tuned voltage noise. They were able to send their own commands to the wireless charger, as well as block Qi messages sent by the smartphone.<\/p>\n

Thus, VoltSchemer attacks require no modifications to the wireless charger\u2019s hardware or firmware. All that\u2019s necessary is to place a malicious power source in a location suitable for luring unsuspecting victims.<\/p>\n

Next, the researchers explored all the ways potential attackers could exploit this method. That is, they considered various possible attack vectors and tested their feasibility in practice.<\/p>\n

\"VoltSchemer<\/a>

VoltSchemer attacks don\u2019t require any modifications to the wireless charger itself \u2014 a malicious power source is enough. Source<\/a><\/p><\/div>\n

1. Silent commands to Siri and Google Assistant voice assistants<\/h2>\n

The first thing the researchers tested was the possibility of sending silent voice commands to the built-in voice assistant of the charging smartphone through the wireless charger. They copied this attack vector from their colleagues at Hong Kong Polytechnic University, who dubbed this attack Heartworm<\/a>.<\/p>\n

\"Heartworm<\/a>

The general idea of the Heartworm attack is to send silent commands to the smartphone\u2019s voice assistant using a magnetic field. Source<\/a><\/p><\/div>\n

The idea here is that the smartphone\u2019s microphone converts sound into electrical vibrations. It\u2019s therefore possible to generate these electrical vibrations in the microphone directly using electricity itself rather than actual sound. To prevent this from happening, microphone manufacturers use electromagnetic shielding \u2014 Faraday cages. However, there\u2019s a key nuance here: although these shields are good at suppressing the electrical component, they can be penetrated by magnetic fields.<\/p>\n

Smartphones that can charge wirelessly are typically equipped with a ferrite screen, which protects against magnetic fields. However, this screen is located right next to the induction coil, and so doesn\u2019t cover the microphone. Thus, today\u2019s smartphone microphones are quite vulnerable to attacks from devices capable of manipulating magnetic fields \u2014 such as wireless chargers.<\/p>\n

\"Heartworm<\/a>

Microphones in today\u2019s smartphones aren\u2019t protected from magnetic field manipulation. Source<\/a><\/p><\/div>\n

The creators of VoltSchemer expanded the already known Heartworm attack with the ability to affect the microphone of a charging smartphone using a \u201cmalicious\u201d power source. The authors of the original attack used a specially modified wireless charger for this purpose.<\/p>\n

2. Overheating a charging smartphone<\/h2>\n

Next, the researchers tested whether it\u2019s possible to use the VoltSchemer attack to overheat a smartphone charging on the compromised charger. Normally, when the battery reaches the required charge level or the temperature rises to a threshold value, the smartphone sends a command to stop the charging process.<\/p>\n

However, the researchers were able to use VoltSchemer to block these commands. Without receiving the command to stop, the compromised charger continues to supply energy to the smartphone, gradually heating it up \u2014 and the smartphone can\u2019t do anything about it. For cases such as this, smartphones have emergency defense mechanisms to avoid overheating: first, the device closes applications, and if that doesn\u2019t help it shuts down completely.<\/p>\n

\"VoltSchemer<\/a>

Using the VoltSchemer attack, researchers were able to heat a smartphone on a wireless charger to a temperature of 178\u00b0F \u2014 approximately 81\u00b0C. Source<\/a><\/p><\/div>\n

Thus, the researchers were able to heat a smartphone up to a temperature of 81\u00b0C (178\u00b0F), which is quite dangerous for the battery \u2014 and in certain circumstances could lead to its catching fire (which could of course lead to other things catching fire if the charging phone is left unattended).<\/p>\n

3. \u201cFrying\u201d other stuff<\/h2>\n

Next, the researchers explored the possibility of \u201cfrying\u201d various other devices and everyday items. Of course, under normal circumstances, a wireless charger shouldn\u2019t activate unless it receives a command from the smartphone placed on it. However, with the VoltSchemer attack, such a command can be given at any time, as well as a command to not stop charging.<\/p>\n

Now, take a guess what will happen to any items lying on the charger at that moment! Nothing good, that\u2019s for sure. For example, the researchers were able to heat a paperclip to a temperature of 280\u00b0C (536\u00b0F) \u2014 enough to set fire to any attached documents. They also managed to fry to death a car key, a USB flash drive, an SSD drive, and RFID chips embedded in bank cards, office passes, travel cards, biometric passports and other such documents.<\/p>\n

\"VoltSchemer<\/a>

Also using the VoltSchemer attack, researchers were able to disable car keys, a USB flash drive, an SSD drive, and several cards with RFID chips, as well as heat a paperclip to a temperature of 536\u00b0F \u2014 280\u00b0C. Source<\/a><\/p><\/div>\n

In total, the researchers examined nine different models of wireless chargers available in stores, and all of them were vulnerable to VoltSchemer attacks. As you might guess, the models with the highest power pose the greatest danger, as they have the most potential to cause serious damage and overheat smartphones.<\/p>\n

Should you fear a VoltSchemer attack in real life?<\/h2>\n

Protecting against VoltSchemer attacks is fairly straightforward: simply avoid using public wireless chargers and don\u2019t connect your own wireless charger to any suspicious USB ports or power adapters.<\/p>\n

While VoltSchemer attacks are quite interesting and can have spectacular results, their real-world practicality is highly questionable. Firstly, such an attack is very difficult to organize. Secondly, it\u2019s not exactly clear what the benefits to an attacker would be \u2014 unless they\u2019re a pyromaniac, of course.<\/p>\n

But what this research clearly demonstrates is how inherently dangerous wireless chargers can be \u2014 especially the more powerful models. So, if you\u2019re not completely sure of the reliability and safety of a particular wireless charger, you\u2019d be wise to avoid using it. While wireless charger hacking is unlikely, the danger of your smartphone randomly getting roasted due to a \u201crogue\u201d charger that no longer responds to charging commands isn\u2019t entirely absent.<\/p>\n\n","protected":false},"excerpt":{"rendered":"

VoltSchemer attacks on wireless Qi chargers using modified power sources can “fry” smartphones and other devices, as well as issue commands to voice assistants.<\/p>\n","protected":false},"author":2726,"featured_media":50711,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[2683],"tags":[111,282,3658,423,821,4566,4402,1006,1935,45,422,2949,4565],"class_list":{"0":"post-50710","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-threats","8":"tag-attacks","9":"tag-cybersecurity","10":"tag-google-assistant","11":"tag-mobile-devices","12":"tag-nfc","13":"tag-qi","14":"tag-radiation","15":"tag-rfid","16":"tag-siri","17":"tag-smartphones","18":"tag-threats","19":"tag-voice-assistants","20":"tag-wireless-charging"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/voltschemer-attack-wireless-chargers\/50710\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/voltschemer-attack-wireless-chargers\/27140\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/voltschemer-attack-wireless-chargers\/22448\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/voltschemer-attack-wireless-chargers\/29815\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/voltschemer-attack-wireless-chargers\/27316\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/voltschemer-attack-wireless-chargers\/27061\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/voltschemer-attack-wireless-chargers\/29733\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/voltschemer-attack-wireless-chargers\/28561\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/voltschemer-attack-wireless-chargers\/37060\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/voltschemer-attack-wireless-chargers\/21564\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/voltschemer-attack-wireless-chargers\/22274\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/voltschemer-attack-wireless-chargers\/30960\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/voltschemer-attack-wireless-chargers\/35987\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/voltschemer-attack-wireless-chargers\/27504\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/voltschemer-attack-wireless-chargers\/33322\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/voltschemer-attack-wireless-chargers\/32946\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/wireless-charging\/","name":"wireless charging"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/50710","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2726"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=50710"}],"version-history":[{"count":4,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/50710\/revisions"}],"predecessor-version":[{"id":50721,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/50710\/revisions\/50721"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/50711"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=50710"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=50710"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=50710"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}