It is well known that plugging your mobile device for charging in public/uncontrolled places through Micro-USB can be a security hazard. USB protocol supports much more than just transferring power, leaving the device exposed to all sorts of malicious data transfer.
So although I wouldn’t plug my phone to any untrusted wired charger, I wonder whether wireless charging technologies – like Qi – pose a security threat, for example by permitting any sort of backdoor/exploited access to the device itself?
I encounter public wireless charging pads with increased frequency (e.g. in cafes), and they seem to be extremely convenient way of keeping your phone up (Nexus 4 in my case) almost seamlessly. Thus I’m quite interested whether it is possible to take advantage of this nice new technology without worrying about security threats.
Older chargers used to just be a simple power supply – little more than a diode bridge, a capacitor and a voltage regulator IC. They supplied a steady voltage to the phone, often +5V. When USB connectivity arrived with modern phones, +5V became a standard and the supply pins on the USB header were used for charging just the same. The two data pins would be left floating or tied to ground, and would not be used.
These days things have changed. Modern phones are power-hungry smart devices, with large batteries. The old USB standards heavily limit the amount of current that can be supplied to a device. On a USB 1.1 port, you could draw up to 100mA of current on the +5V line. This equates to 0.5W, which certainly isn’t much when charging. USB 2.0 increased this to 500mA, and USB 3.0 increased it further to 900mA. However, the actual allowed power consumption is not as simple: when just plugged in the maximum a device is allowed to withdraw is only 100mA / 150mA for USB 2.0 / 3.0 respectively. The device must designate itself to a particular type, as must the dock to which it is plugged into. This is called a negotiation.
There are three main types of power state for USB:
- No Dead Battery (NDB) mode – allows 100mA (150mA on USB3) to be drawn when plugged into a device without any negotiation. No data may be transferred.
- Host charger mode – allows 100mA on USB 1.1, 500mA on USB 2.0 and 900mA on USB 3.0 after the device has been registered with the host, and full duplex communications can occur. This is the “normal” mode most devices will be in when plugged into a computer.
- Dedicated charger mode – only defined for USB 2.0 and 3.0, and allows 1.5A on a dedicated charger device. Whilst in this mode, no data may be transferred. However, the device must negotiate this mode with the charger.
Notice that only 150mA may be drawn by the device when no negotiation has occurred. This is a safety feature, as over-current protection on a device may involve surface-mount fuses that require de-soldering to replace. As such, if a device tried to pull 1.5A on a USB 1.1 host that only supports 100mA, you’d likely melt the host. As such, we have to do proper negotiation, which involves some data transfer.
Here’s where things get fuzzy:
- The negotiation phase may be implemented in hardware, firmware or software. Usually the first step is hardware, then the next step is firmware, and the final step (OS recognition via PnP) is software.
- The data involved in the initial negotiation handshake doesn’t (as far as I’m aware) involve any arbitrary length buffers. It’s this stage that involves the power negotiation.
- The data involved in the full Plug-n-Play negotiation is complicated and most certainly does involve arbitrary length buffers.
As such, modern dedicated chargers usually have a small microcontroller or dedicated USB host chip to deal with the negotiation phase. This means there is usually a firmware-based attack surface on the charger, and most definitely on the device. However, some specialised chargers (e.g. iPhone) cheat the specification by using detection tricks (e.g. capacitative sensing on the data lines) to make the charger production cheaper, and therefore don’t need to do any data transfer. This may or may not be a violation of the USB specification, but big companies tend to be able to get stuff like that past regulatory bodies.
The wireless charging side works almost the same way, except the actual transfer of current is done via an oscillating electromagnetic field. The negotiation works in the same way, just over an NFC-style communications channel. If you could inject data into that communications channel, you might alter the way the negotiation works, but I doubt you could do anything interesting without violating the protocol. An interesting avenue of research would be to see if any devices have buffer overflows or similar issues in the protocol.
So, in conclusion, you may be able to find an exploit for a device, but it’s likely to do nothing more than temporarily brick the USB controller IC on the device. Alternatively, you could replace the charger with an active host, and use it to fully negotiate with the device and send commands to it. This is especially dangerous on iPhone and Android devices that have USB debugging enabled, as it allows the device’s memory to be accessed.
There is no security threat coming from wireless chargers, nor USB chargers for that matter. When you plug USB charger into your phone it starts charging, but storage access is not enabled, you have to manually enable access to the phone storage. However, you have to make sure ADB and USB debugging is disabled and there might be an exploit in one of Linux USB drivers, but that is unlikely, as the code has been around for quite a while and none have been found.
With wireless charging I’d say it’s impossible to remotely exploit the phone. The wireless battery circuitry and battery part itself is separate from main CPU and the only communication between the battery part and the CPU is the status of battery. Also, for a successful practical attack, you require 2-way communication. The charging pad is transmitting EM energy, but that energy is not “shaped” in any specific way that could represent information. Furthermore, there is no logic inside the phone to interpret wireless charger’s EM energy as data. It works on the principle of induction, like an induction kitchen stove.
The only threat from wireless charging pads that I see is that they could be used to cause DoS by damaging (“frying”) your phone’s electronic circuitry by sending too much energy. However, I hope phone manufacturers have implemented some kind of protection against such a thing. But if there is really a lot of energy coming from the charger, no protection will help you as the phone is not grounded. However, such attacks would not serve any other purpose than destruction.