The VoltSchemer Charger Attack Can Fry Your Phone, Credit Cards, Passport, and Even Whisper to Siri

From overheating phones and "power toasting" paperclips to secretly issuing voice commands, VoltSchemer is a tricky customer.

Gareth Halfacree
2 months ago β€’ Security / HW101

Researchers from the University of Florida have detailed an unusual attack that could turn off-the-shelf wireless charging pads into magnetic-stripe wipers, speakers issuing inaudible malicious commands to voice assistants, or simply dump too much power into a connected smartphone and overheat it.

"VoltSchemer [is] a set of innovative attacks that grant attackers control over commercial-off-the-shelf wireless chargers merely by modulating the voltage from the power supply," the team explains of its research. "These attacks represent the first of its kind, exploiting voltage noises from the power supply to manipulate wireless chargers without necessitating any malicious modifications to the chargers themselves."

Offering higher convenience than traditional wired chargers, wireless chargers come with a range of protections built into them to prevent them from sending power to places it's not expected β€” everything from negotiating exactly how much power a smartphone can accept to rejecting foreign objects placed on or near the charging pad by mistake. VoltSchemer, though, can defeat them all, and more.

"The significant threats imposed by VoltSchemer are substantiated by three practical attacks, where a charger can be manipulated to: control voice assistants via inaudible voice commands, damage devices being charged through overcharging or overheating, and bypass Qi-standard specified foreign-object-detection mechanism to damage valuable items exposed to intense magnetic fields," the team explains. "We demonstrate the effectiveness and practicality of the VoltSchemer attacks with successful attacks on 9 top-selling COTS [Commercial Off-The-Shelf] wireless chargers."

The most obvious of the attacks is simple enough: by injecting noise into the charger's input, it's possible to influence its output β€” causing it to overcharge a connected smartphone and, potentially, cause it damage through overheating. The second is only marginally more unexpected: causing the chargers to output energy even when a compatible device is not in range, which could wipe the magnetic stripe on credit cards placed nearby or overload near-field communication (NFC) and radio frequency ID (RFID) devices like passports and contactless cards β€” and which can even scorch paper documents held together with metal clips.

The third attack, though, comes out of left field: turning the device into a speaker, of sorts, capable of issuing inaudible instructions to always-on voice assistant software. "Although successful attacks have different maximum attacking distances," the team notes, "the maximum distance is not smaller than the 3cm wireless charging range limited by the misalignment constraint in [the] Qi standard, therefore, the voice assistant manipulation attacks can always be successfully conducted to the charged smartphones."

In mitigation, beyond the need for an attacker to be able to gain access to the charger's power supply, the team proposes a pair of countermeasures: the addition of DC-to-DC converters and other noise-removal components, alongside real-time voltage monitoring which could shut down the device is tampering is detected. "However, the cost implications of implementing [these mitigations may] pose a challenge for low-cost devices."

A preprint of the team's work has been published on Cornell's arXiv server under open access terms, and was accepted for presentation at the 33rd USENIX Security Symposium.

Gareth Halfacree
Freelance journalist, technical author, hacker, tinkerer, erstwhile sysadmin. For hire:
Latest articles
Sponsored articles
Related articles
Latest articles
Read more
Related articles