VoltSchemer attacks use wireless chargers to inject commands and overheat phones
A study conducted by researchers at the University of Florida delves into a form of cyberattack utilizing Qi wireless chargers, termed VoltSchemer. Their research details the intricacies of these attacks, elucidating their feasibility and outcomes. The technique they've outlined involves injecting voice commands via the magnetic field emanating from readily available wireless chargers to manipulate a smartphone's voice assistant.
This method poses a significant threat as it could potentially disrupt charging devices, circumvent the security measures of the Qi standard, and control voice assistants by capitalizing on voltage fluctuations from the power source. The Qi standard, developed by the Wireless Power Consortium, facilitates communication among the power adapter, wireless charger, and the device being charged.
VoltSchemer has the capability to cause physical harm to mobile devices and elevate the temperature of objects in proximity to the charger to over 280C (536F). Described by the researchers and CertiK as an attack exploiting electromagnetic interference to alter the charger's behavior, VoltSchemer presents a formidable security concern.
The main idea behind the VoltSchemer attacks
The Qi standard has become the dominant one in its field: it’s supported by all the latest wireless chargers and smartphones capable of wireless charging. VoltSchemer attacks exploit two fundamental features of the Qi standard.
The first is the way the smartphone and wireless charger exchange information to coordinate the battery charging process: the Qi standard has a communication protocol that uses the only “thing” connecting the charger and the smartphone — a magnetic field — to transmit messages.
The second feature is the way that wireless chargers are intended for anyone to freely use. That is, any smartphone can be placed on any wireless charger without any kind of prior pairing, and the battery will start charging immediately. Thus, the Qi communication protocol involves no encryption — all commands are transmitted in plain text.
It is this lack of encryption that makes communication between charger and smartphone susceptible to man-in-the-middle attacks; that is, said communication can be intercepted and tampered with. That, coupled with the first feature (use of the magnetic field), means such tampering is not even that hard to accomplish: to send malicious commands, attackers only need to be able to manipulate the magnetic field to mimic Qi-standard signals.
An overlay of a malicious power adapter created on a regular wall USB socket (arxiv.org)
And that’s exactly what the researchers did: they built a “malicious” power adapter disguised as a wall USB socket, which allowed them to create precisely tuned voltage noise. They were able to send their own commands to the wireless charger, as well as block Qi messages sent by the smartphone.
Thus, VoltSchemer attacks require no modifications to the wireless charger’s hardware or firmware. All that’s necessary is to place a malicious power source in a location suitable for luring unsuspecting victims.
VoltSchemer attacks don’t require any modifications to the wireless charger itself — only a power source is enough.
Different possible attack vectors through VoltSchemer
Researchers have taken a step further to discover all possible exploits and attack vectors and tested their feasibility in practice.
1. Silent commands to Siri and Google Assistant voice assistants
The first thing the researchers tested was the possibility of sending silent voice commands to the built-in voice assistant of the charging smartphone through the wireless charger. They copied this attack vector from their colleagues at Hong Kong Polytechnic University, who dubbed this attack Heartworm.
Heartworm attack sends silent commands to the smartphone’s voice assistant using a magnetic field
The idea here is that the smartphone’s microphone converts sound into electrical vibrations. It’s therefore possible to generate these electrical vibrations in the microphone directly using electricity itself rather than actual sound. To prevent this from happening, microphone manufacturers use electromagnetic shielding — Faraday cages. However, there’s a key nuance here: although these shields are good at suppressing the electrical component, they can be penetrated by magnetic fields.
Smartphones that can charge wirelessly are typically equipped with a ferrite screen, which protects against magnetic fields. However, this screen is located right next to the induction coil, and so doesn’t cover the microphone. Thus, today’s smartphone microphones are quite vulnerable to attacks from devices capable of manipulating magnetic fields — such as wireless chargers.
The creators of VoltSchemer expanded the already known Heartworm attack with the ability to affect the microphone of a charging smartphone using a “malicious” power source. The authors of the original attack used a specially modified wireless charger for this purpose.
2. Overheating a charging smartphone
Next, the researchers tested whether it’s possible to use the VoltSchemer attack to overheat a smartphone charging on the compromised charger. Normally, when the battery reaches the required charge level or the temperature rises to a threshold value, the smartphone sends a command to stop the charging process.
However, the researchers were able to use VoltSchemer to block these commands. Without receiving the command to stop, the compromised charger continues to supply energy to the smartphone, gradually heating it up — and the smartphone can’t do anything about it. For cases such as this, smartphones have emergency defense mechanisms to avoid overheating: first, the device closes applications, and if that doesn’t help it shuts down completely.
Using the VoltSchemer attack, researchers were able to heat a smartphone on a wireless charger to a temperature of 178°F — approximately 81°C.
Thus, the researchers were able to heat a smartphone up to a temperature of 81°C (178°F), which is quite dangerous for the battery — and in certain circumstances could lead to its catching fire (which could of course lead to other things catching fire if the charging phone is left unattended).
3. VoltSchemer attack on other appliances
Next, the researchers explored the possibility of “frying” various other devices and everyday items. Of course, under normal circumstances, a wireless charger shouldn’t activate unless it receives a command from the smartphone placed on it. However, with the VoltSchemer attack, such a command can be given at any time, as well as a command to not stop charging.
Now, take a guess what will happen to any items lying on the charger at that moment! Nothing good, that’s for sure. For example, the researchers were able to heat a paperclip to a temperature of 280°C (536°F) — enough to set fire to any attached documents. They also managed to fry to death a car key, a USB flash drive, an SSD drive, and RFID chips embedded in bank cards, office passes, travel cards, biometric passports and other such documents.
Using the VoltSchemer attack to disable car keys, a USB flash drive, an SSD drive, and several cards with RFID chips, as well as heat a paperclip to a temperature of 536°F — 280°C.
In total, the researchers examined nine different models of wireless chargers available in stores, and all of them were vulnerable to VoltSchemer attacks. As you might guess, the models with the highest power pose the greatest danger, as they have the most potential to cause serious damage and overheat smartphones.
Should you fear a VoltSchemer attack in real life?
Protecting against VoltSchemer attacks is fairly straightforward: simply avoid using public wireless chargers and don’t connect your own wireless charger to any suspicious USB ports or power adapters.
While VoltSchemer attacks are quite interesting and can have spectacular results, their real-world practicality is highly questionable. Firstly, such an attack is very difficult to organize. Secondly, it’s not exactly clear what the benefits to an attacker would be — unless they’re a pyromaniac, of course.
But what this research clearly demonstrates is how inherently dangerous wireless chargers can be — especially the more powerful models. So, if you’re not completely sure of the reliability and safety of a particular wireless charger, you’d be wise to avoid using it. While wireless charger hacking is unlikely, the danger of your smartphone randomly getting roasted due to a “rogue” charger that no longer responds to charging commands isn’t entirely absent.
REFERENCE
- Attacks on wireless chargers: how to “fry” a smartphone by Alanna Titterington – Kaspersky Daily
- VoltSchemer attacks use wireless chargers to inject voice commands, fry phones by Bill Toulas - BleepingComputer
- RESEARCH PAPER - VoltSchemer: Use Voltage Noise to Manipulate Your Wireless Charger Zhan, Z., Yang, Y., Shan, H., Wang, H., Jin, Y., & Wang, S. (2024) – arvix.org
- RESEARCH PAPER - Inducing Wireless Chargers to Voice Out for Inaudible Command Attacks Dai, D., An, Z. and Yang, L., (2023) – ieee.org
About the Author
Ruben George