Attacks on wireless chargers: how to “fry” a smartphone

IoT 1个月前 admin
14 0 0

Attacks on wireless chargers: how to “fry” a smartphone

A group of researchers from the University of Florida has published a study on a type of attack using Qi wireless chargers, which they’ve dubbed VoltSchemer. In the study, they describe in detail how these attacks work, what makes them possible, and what results they’ve achieved.
佛罗里达大学的一组研究人员发表了一项关于使用 Qi 无线充电器的攻击类型的研究,他们将其称为 VoltSchemer。在研究中,他们详细描述了这些攻击是如何进行的、是什么使它们成为可能以及它们取得了哪些结果。

In this post, first we’ll discuss the researchers’ main findings. Then we’ll explore what it all means practically speaking — and whether you should be concerned about someone roasting your smartphone through a wireless charger.

The main idea behind the VoltSchemer attacks
VoltSchemer 攻击背后的主要思想

The Qi standard has become the dominant one in its field: it’s supported by all the latest wireless chargers and smartphones capable of wireless charging. VoltSchemer attacks exploit two fundamental features of the Qi standard.
Qi 标准已成为该领域的主导标准:所有最新的无线充电器和具有无线充电功能的智能手机都支持该标准。 VoltSchemer 攻击利用了 Qi 标准的两个基本特征。

The first is the way the smartphone and wireless charger exchange information to coordinate the battery charging process: the Qi standard has a communication protocol that uses the only “thing” connecting the charger and the smartphone — a magnetic field — to transmit messages.
第一个是智能手机和无线充电器交换信息以协调电池充电过程的方式:Qi 标准有一个通信协议,该协议使用连接充电器和智能手机的唯一“东西”(磁场)来传输消息。

The second feature is the way that wireless chargers are intended for anyone to freely use. That is, any smartphone can be placed on any wireless charger without any kind of prior pairing, and the battery will start charging immediately. Thus, the Qi communication protocol involves no encryption — all commands are transmitted in plain text.
第二个特点是无线充电器适合任何人自由使用。也就是说,任何智能手机都可以放在任何无线充电器上,无需事先进行任何配对,电池将立即开始充电。因此,Qi 通信协议不涉及加密——所有命令均以纯文本形式传输。

It is this lack of encryption that makes communication between charger and smartphone susceptible to man-in-the-middle attacks; that is, said communication can be intercepted and tampered with. That, coupled with the first feature (use of the magnetic field), means such tampering  is not even that hard to accomplish: to send malicious commands, attackers only need to be able to manipulate the magnetic field to mimic Qi-standard signals.
正是由于缺乏加密,充电器和智能手机之间的通信容易受到中间人攻击;也就是说,所述通信可以被拦截和篡改。再加上第一个功能(磁场的使用),意味着这种篡改并不难实现:要发送恶意命令,攻击者只需要能够操纵磁场来模仿 Qi 标准信号。

Attacks on wireless chargers: how to “fry” a smartphone

To illustrate the attack, the researchers created a malicious power adapter: an overlay on a regular wall USB socket. Source
为了说明这次攻击,研究人员创建了一个恶意电源适配器:覆盖在普通墙壁 USB 插座上。来源

And that’s exactly what the researchers did: they built a “malicious” power adapter disguised as a wall USB socket, which allowed them to create precisely tuned voltage noise. They were able to send their own commands to the wireless charger, as well as block Qi messages sent by the smartphone.
这正是研究人员所做的:他们构建了一个伪装成墙壁 USB 插座的“恶意”电源适配器,这使得他们能够产生精确调节的电压噪声。他们能够向无线充电器发送自己的命令,并阻止智能手机发送的 Qi 消息。

Thus, VoltSchemer attacks require no modifications to the wireless charger’s hardware or firmware. All that’s necessary is to place a malicious power source in a location suitable for luring unsuspecting victims.
因此,VoltSchemer 攻击不需要修改无线充电器的硬件或固件。所需要做的就是将恶意电源放置在适合引诱毫无戒心的受害者的位置。

Next, the researchers explored all the ways potential attackers could exploit this method. That is, they considered various possible attack vectors and tested their feasibility in practice.

Attacks on wireless chargers: how to “fry” a smartphone

VoltSchemer attacks don’t require any modifications to the wireless charger itself — a malicious power source is enough. Source
VoltSchemer 攻击不需要对无线充电器本身进行任何修改——恶意电源就足够了。来源

1. Silent commands to Siri and Google Assistant voice assistants
1. 对 Siri 和 Google Assistant 语音助手发出无声命令

The first thing the researchers tested was the possibility of sending silent voice commands to the built-in voice assistant of the charging smartphone through the wireless charger. They copied this attack vector from their colleagues at Hong Kong Polytechnic University, who dubbed this attack Heartworm.

Attacks on wireless chargers: how to “fry” a smartphone

The general idea of the Heartworm attack is to send silent commands to the smartphone’s voice assistant using a magnetic field. Source
Heartworm 攻击的总体思路是使用磁场向智能手机的语音助手发送无声命令。来源

The idea here is that the smartphone’s microphone converts sound into electrical vibrations. It’s therefore possible to generate these electrical vibrations in the microphone directly using electricity itself rather than actual sound. To prevent this from happening, microphone manufacturers use electromagnetic shielding — Faraday cages. However, there’s a key nuance here: although these shields are good at suppressing the electrical component, they can be penetrated by magnetic fields.

Smartphones that can charge wirelessly are typically equipped with a ferrite screen, which protects against magnetic fields. However, this screen is located right next to the induction coil, and so doesn’t cover the microphone. Thus, today’s smartphone microphones are quite vulnerable to attacks from devices capable of manipulating magnetic fields — such as wireless chargers.

Attacks on wireless chargers: how to “fry” a smartphone

Microphones in today’s smartphones aren’t protected from magnetic field manipulation. Source

The creators of VoltSchemer expanded the already known Heartworm attack with the ability to affect the microphone of a charging smartphone using a “malicious” power source. The authors of the original attack used a specially modified wireless charger for this purpose.
VoltSchemer 的创建者扩展了已知的 Heartworm 攻击,能够使用“恶意”电源影响正在充电的智能手机的麦克风。最初攻击的作者为此使用了经过特殊修改的无线充电器。

2. Overheating a charging smartphone
2. 充电时智能手机过热

Next, the researchers tested whether it’s possible to use the VoltSchemer attack to overheat a smartphone charging on the compromised charger. Normally, when the battery reaches the required charge level or the temperature rises to a threshold value, the smartphone sends a command to stop the charging process.
接下来,研究人员测试了是否有可能利用 VoltSchemer 攻击使使用受损充电器充电的智能手机过热。通常,当电池达到所需的充电水平或温度升至阈值时,智能手机会发送命令停止充电过程。

However, the researchers were able to use VoltSchemer to block these commands. Without receiving the command to stop, the compromised charger continues to supply energy to the smartphone, gradually heating it up — and the smartphone can’t do anything about it. For cases such as this, smartphones have emergency defense mechanisms to avoid overheating: first, the device closes applications, and if that doesn’t help it shuts down completely.
然而,研究人员能够使用 VoltSchemer 来阻止这些命令。在没有收到停止命令的情况下,受感染的充电器会继续向智能手机供电,逐渐使其升温,而智能手机对此无能为力。对于这种情况,智能手机具有避免过热的紧急防御机制:首先,设备关闭应用程序,如果这没有帮助,它就会完全关闭。

Attacks on wireless chargers: how to “fry” a smartphone

Using the VoltSchemer attack, researchers were able to heat a smartphone on a wireless charger to a temperature of 178°F — approximately 81°C. Source
利用 VoltSchemer 攻击,研究人员能够将无线充电器上的智能手机加热到 178°F(约 81°C)的温度。来源

Thus, the researchers were able to heat a smartphone up to a temperature of 81°C (178°F), which is quite dangerous for the battery — and in certain circumstances could lead to its catching fire (which could of course lead to other things catching fire if the charging phone is left unattended).
因此,研究人员能够将智能手机加热到 81°C (178°F) 的温度,这对电池来说非常危险,并且在某些情况下可能会导致其着火(这当然可能导致其他问题)如果充电手机无人看管,东西会着火)。

3. “Frying” other stuff

Next, the researchers explored the possibility of “frying” various other devices and everyday items. Of course, under normal circumstances, a wireless charger shouldn’t activate unless it receives a command from the smartphone placed on it. However, with the VoltSchemer attack, such a command can be given at any time, as well as a command to not stop charging.

Now, take a guess what will happen to any items lying on the charger at that moment! Nothing good, that’s for sure. For example, the researchers were able to heat a paperclip to a temperature of 280°C (536°F) — enough to set fire to any attached documents. They also managed to fry to death a car key, a USB flash drive, an SSD drive, and RFID chips embedded in bank cards, office passes, travel cards, biometric passports and other such documents.
现在,猜猜此时充电器上的任何物品会发生什么!没有什么好事,这是肯定的。例如,研究人员能够将回形针加热到 280°C (536°F) 的温度,足以点燃任何附加文件。他们还成功炸死了汽车钥匙、USB闪存驱动器、SSD驱动器以及嵌入银行卡、办公通行证、旅行卡、生物识别护照和其他此类文件中的RFID芯片。

Attacks on wireless chargers: how to “fry” a smartphone

Also using the VoltSchemer attack, researchers were able to disable car keys, a USB flash drive, an SSD drive, and several cards with RFID chips, as well as heat a paperclip to a temperature of 536°F — 280°C. Source
同样利用 VoltSchemer 攻击,研究人员能够禁用车钥匙、USB 闪存驱动器、SSD 驱动器和几张带有 RFID 芯片的卡,并将回形针加热到 536°F – 280°C 的温度。来源

In total, the researchers examined nine different models of wireless chargers available in stores, and all of them were vulnerable to VoltSchemer attacks. As you might guess, the models with the highest power pose the greatest danger, as they have the most potential to cause serious damage and overheat smartphones.
研究人员总共检查了商店中九种不同型号的无线充电器,所有这些都容易受到 VoltSchemer 攻击。正如您可能猜到的那样,功率最高的型号带来的危险最大,因为它们最有可能造成严重损坏并使智能手机过热。

Should you fear a VoltSchemer attack in real life?
您应该担心现实生活中的 VoltSchemer 攻击吗?

Protecting against VoltSchemer attacks is fairly straightforward: simply avoid using public wireless chargers and don’t connect your own wireless charger to any suspicious USB ports or power adapters.
防范 VoltSchemer 攻击相当简单:只需避免使用公共无线充电器,并且不要将自己的无线充电器连接到任何可疑的 USB 端口或电源适配器即可。

While VoltSchemer attacks are quite interesting and can have spectacular results, their real-world practicality is highly questionable. Firstly, such an attack is very difficult to organize. Secondly, it’s not exactly clear what the benefits to an attacker would be — unless they’re a pyromaniac, of course.
虽然 VoltSchemer 攻击非常有趣并且可以产生惊人的结果,但它们在现实世界中的实用性却非常值得怀疑。首先,这种攻击组织起来非常困难。其次,目前尚不清楚攻击者能得到什么好处——当然,除非他们是纵火狂。

But what this research clearly demonstrates is how inherently dangerous wireless chargers can be — especially the more powerful models. So, if you’re not completely sure of the reliability and safety of a particular wireless charger, you’d be wise to avoid using it. While wireless charger hacking is unlikely, the danger of your smartphone randomly getting roasted due to a “rogue” charger that no longer responds to charging commands isn’t entirely absent.

原文始发于Alanna Titterington:Attacks on wireless chargers: how to “fry” a smartphone

版权声明:admin 发表于 2024年3月2日 下午1:50。
转载请注明:Attacks on wireless chargers: how to “fry” a smartphone | CTF导航