A group of academic researchers demonstrate that a brand-new set of attacks known as” VoltSchemer” can use an off-the-shelf wireless charger’s magnetic field to inject voice commands into the voice assistant of smartphones.
Additionally, VoltSchemer can be used to heat items near the charger to temperatures higher than 536F ( 280C), damaging the mobile device physically.
VoltSchemer is an attack that uses electromagnetic interference to alter the behavior of the charger, according to a technical paper co-signed by CertiK and University of Florida researchers.
The researchers tested nine of the most popular wireless chargers on the market globally to demonstrate the attack, exposing security flaws in these products.
Why are these attacks possible?
Using the electromagnetic induction principle, wireless charging systems frequently transfer energy between two objects using electromagnetic fields.
A receiver coil in a smartphone captures the energy from the magnetic field and transforms it into electrical energy to charge the battery, while alternating current flows through the transmitter coil of the charging station to create an oscillating magnet field.
Attackers can fine-tune the voltage fluctuations ( noise ) on a charger’s input to produce an interference signal that can change the magnetic field characteristics that are generated.
An interposing device can introduce voltage manipulation without physically altering the charging station or infecting a smartphone device with software.
According to the researchers, this noise signal can obstruct the regular data exchange between smartphones and charging stations, both of which use highly precise power signal distortion and data corruption microcontrollers to manage the charging process.
In essence, VoltSchemer exploits security flaws in wireless charging system hardware and communication protocols.
Overheating/overcharging, breaking Qi safety standards, and injecting voice commands into the charging smartphone are just a few of the potential attack vectors that could be used by VoltSchemer attacks.
frying phones and tricking voice assistants
To prevent overcharging, which is communicated with the charging station to lessen or stop power delivery, smartphones are made to stop charging once the battery is full.
The VoltSchemer-introduced noise signal can obstruct this communication, limiting power delivery and posing a serious safety risk by overcharging and overheating the smartphone while it is charging.
The following is a description of the researchers ‘ Samsung Galaxy S8 experimentation:
The temperature quickly increased after CE packets were injected to boost power. Soon after, the phone attempted to stop power transfer by sending overheated EPT packets, but these were corrupted by our voltage manipulator’s voltage interference, rendering the charger inoperable.
The charger continued to transfer power after being duped by fake CE and RP packets, which increased the temperature. At 126 degrees Fahrenheit, the phone closed apps, restricted user interaction, and started an emergency shutdown at 170 degrees ( 76.7 % Celsius ). Power transfer persisted, keeping the temperature dangerously high and stabilizing at 178 F (81 C ).
(arxiv.org)
The second , VoltSchemer attack type can start energy transfer to nearby non-supported items by eluding the safety mechanisms provided by the Qi standard and the NBSSP. Examples include  , USB sticks, RFID or NFC chips for access control and payment cards, laptop SSD drives, and other items near the charging pad.
The researchers were able to heat document clips to a temperature of 536 F ( 280 C), which is more than enough to ignite the papers.
Electronics cannot withstand this level of heat and could be harmed by a VoltSchemer attack.
When a car key fob was attacked, the battery blew up and the object was destroyed. Similar to SSD drives, the voltage transfer caused data loss with USB storage drives.
Delivering inaudible voice commands to iOS ( Siri ) and Android ( Google Assistant ) assistants was the third type of attack the researchers tested.
The researchers have shown that calling, browsing websites, and launching apps can all be accomplished by injecting a series of voice commands through noise signals sent over the charging station’s range.
However, this attack has restrictions that might make it impossible to use in a practical situation. The target’s activation commands would need to be recorded first, followed by add  to the output voice signals of the power adapter. which, in a frequency range below 10 kHz, contain the most crucial information.
The researchers add that a recent study demonstrated that” an AM-modulated magnetic field can cause , magnetic-induced sound ( MIS ) in the microphone circuits of modern smartphones” by adding “voice signal” to the power adapter’s output voltage and modulating it with limited attenuation and distortions.”
Anything posing as a legitimate accessory, distributed through various channels like promotional giveaways, second-hand sales, or as replacements for allegedly recalled products, could be the interfering devices introducing the malicious voltage fluctuations.
Although it is possible to deliver higher voltage to mobile devices using a wireless charger on the charging pad or nearby items, manipulating phone assistants with VoltSchemer creates an increased barrier due to the attacker’s abilities and motivation.
Modern charging stations and standards have security gaps as a result of these discoveries, highlights, and calls for better designs that are electromagnetic interference-resistant.
The researchers discussed safety measures that could reduce the possibility of an a , VoltSchemer attack with the vendors of the tested charging stations.