Time to Rethink the Design of Qi Standard? Security and Privacy Vulnerability Analysis of Qi Wireless Charging

With the ever-growing deployment of Qi wireless charging for mobile devices, the potential impact of its vulnerabilities is an increasing concern. In this paper, we conduct the first thorough study to explore its potential security and privacy vulnerabilities. Due to the open propagation property of electromagnetic signals as well as the non-encrypted Qi communication channel, we demonstrate that the Qi communication established between the charger (i.e., a charging pad) and the charging device (i.e., a smartphone) could be non-intrusively interfered with and eavesdropped. In particular, we build two types of attacks: 1) Hijacking Attack: through stealthily placing an ultra-thin adversarial coil on the wireless charger’s surface, we show that an adversary is capable of hijacking the communication channel via injecting malicious Qi messages to further control the entire charging process as they desire; and 2) Eavesdropping Attack: by sticking an adversarial coil underneath the surface (e.g., a table) on which the charger is placed, the adversary can eavesdrop Qi messages and further infer the device’s running activities while it is being charged. We validate these proof-of-concept attacks using multiple commodity smartphones and 14 commonly used calling and messaging apps. The results show that our designed hijacking attack can cause overcharging, undercharging, and paused charging, etc., potentially leading to more significant damage to the battery (e.g., overheating, reducing battery life, or explosion). In addition, the designed eavesdropping attack can achieve a high accuracy in detecting and identifying the running app activities (e.g., over 95.56% and 85.80% accuracy for calling apps and messaging apps, respectively). Our work brings to light a fundamental design vulnerability in the currently-deployed wireless charging architecture, which may put people’s security and privacy at risk while wirelessly recharging their smartphones.

[1]  Nur Hazwani Hussin Encryption Techniques and Wireless Power Transfer Schemes , 2018 .

[2]  Shigeo Abe DrEng Pattern Classification , 2001, Springer London.

[3]  Zhu Han,et al.  Game theoretic modeling of jamming attack in wireless powered communication networks , 2015, 2015 IEEE International Conference on Communications (ICC).

[4]  Weizhi Meng,et al.  Charging Me and I Know Your Secrets!: Towards Juice Filming Attacks on Smartphones , 2015, CPSS@ASIACSS.

[5]  Bernhard Schölkopf,et al.  Estimating the Support of a High-Dimensional Distribution , 2001, Neural Computation.

[6]  Md. Murshadul Hoque,et al.  State-of-the-Art and Energy Management System of Lithium-Ion Batteries in Electric Vehicle Applications: Issues and Recommendations , 2018, IEEE Access.

[7]  Narayanan Vijaykrishnan,et al.  Power attack resistant cryptosystem design: a dynamic voltage and frequency switching approach , 2005, Design, Automation and Test in Europe.

[8]  Toine Staring,et al.  The Qi wireless power standard , 2010, Proceedings of 14th International Power Electronics and Motion Control Conference EPE-PEMC 2010.

[9]  Zhu Han,et al.  Performance analysis of delay-constrained wireless energy harvesting communication networks under jamming attacks , 2015, 2015 IEEE Wireless Communications and Networking Conference (WCNC).

[10]  Arun Ross,et al.  Score normalization in multimodal biometric systems , 2005, Pattern Recognit..

[11]  Dirk Fox,et al.  Advanced Encryption Standard (AES) , 1999, Datenschutz und Datensicherheit.

[12]  Denzil Ferreira,et al.  Understanding Human-Smartphone Concerns: A Study of Battery Life , 2011, Pervasive.

[13]  Emmanuel Ahene,et al.  Secure Energy Encryption for Wireless Power Transfer , 2017, 2017 IEEE 7th International Advance Computing Conference (IACC).

[14]  Narayanan Vijaykrishnan,et al.  Masking the Energy Behavior of DES Encryption , 2003, DATE.

[15]  Mahmoud A. M. Albreem,et al.  Comparison of Performance based on Power of Energy Encryption in Medium Field for Wireless Power Transfer System , 2017 .

[16]  Wei Zhang,et al.  Masking the energy behavior of DES encryption [smart cards] , 2003, 2003 Design, Automation and Test in Europe Conference and Exhibition.

[17]  M. A. Hannan,et al.  Battery charge equalization controller in electric vehicle applications: A review , 2017 .

[18]  Louis Goubin,et al.  DES and Differential Power Analysis (The "Duplication" Method) , 1999, CHES.

[19]  Fei Lin,et al.  An efficient wireless power transfer system with security considerations for electric vehicle applications , 2014 .

[20]  Yi Wu,et al.  Security and privacy in the age of cordless power world: poster abstract , 2020, SenSys.

[21]  Jong Hyuk Park,et al.  Advanced lightweight encryption algorithms for IoT devices: survey, challenges and solutions , 2017, J. Ambient Intell. Humaniz. Comput..

[22]  Gang Zhou,et al.  On Inferring Browsing Activity on Smartphones via USB Power Analysis Side-Channel , 2017, IEEE Transactions on Information Forensics and Security.

[23]  Joel Nothman,et al.  SciPy 1.0-Fundamental Algorithms for Scientific Computing in Python , 2019, ArXiv.

[24]  Guihai Chen,et al.  SCAPE: Safe Charging with Adjustable Power , 2014, 2014 IEEE 34th International Conference on Distributed Computing Systems.

[25]  Weizhi Meng,et al.  JuiceCaster: Towards automatic juice filming attacks on smartphones , 2016, J. Netw. Comput. Appl..

[26]  M. Ichimura The safety characteristics of lithium-ion batteries for mobile phones and the nail penetration test , 2007, INTELEC 07 - 29th International Telecommunications Energy Conference.

[27]  Amir Rahmati,et al.  ATtention Spanned: Comprehensive Vulnerability Analysis of AT Commands Within the Android Ecosystem , 2018, USENIX Security Symposium.

[28]  Jun Huang,et al.  QID: Identifying Mobile Devices via Wireless Charging Fingerprints , 2020, 2020 IEEE/ACM Fifth International Conference on Internet-of-Things Design and Implementation (IoTDI).

[29]  Katrien van Driessen,et al.  A Fast Algorithm for the Minimum Covariance Determinant Estimator , 1999, Technometrics.

[30]  Alexander Kmentt 2017 , 2018, The Treaty Prohibiting Nuclear Weapons.

[31]  Zhen Zhang,et al.  Energy Encryption for Wireless Power Transfer , 2015, IEEE Transactions on Power Electronics.

[32]  Seung-wook Eom,et al.  Thermal and electrochemical behaviour of C/LixCoO2 cell during safety test , 2008 .

[33]  Kristie B. Hadden,et al.  2020 , 2020, Journal of Surgical Orthopaedic Advances.

[34]  Qing Yang,et al.  USB side-channel attack on Tor , 2018, Comput. Networks.

[35]  Zhi-Hua Zhou,et al.  Isolation Forest , 2008, 2008 Eighth IEEE International Conference on Data Mining.

[36]  Zhu Han,et al.  Wireless charger networking for mobile devices: fundamentals, standards, and applications , 2014, IEEE Wireless Communications.

[37]  Chi Lin,et al.  CoDoC: A Novel Attack for Wireless Rechargeable Sensor Networks through Denial of Charge , 2019, IEEE INFOCOM 2019 - IEEE Conference on Computer Communications.

[38]  Man Ho Au,et al.  Harvesting Smartphone Privacy Through Enhanced Juice Filming Charging Attacks , 2017, ISC.

[39]  Mauro Conti,et al.  No Free Charge Theorem: A Covert Channel via USB Charging Cable on Mobile Devices , 2016, ACNS.

[40]  Wenyuan Xu,et al.  Who is Charging My Phone? Identifying Wireless Chargers via Fingerprinting , 2021, IEEE Internet of Things Journal.

[41]  Luca Benini,et al.  Energy-aware design techniques for differential power analysis protection , 2003, Proceedings 2003. Design Automation Conference (IEEE Cat. No.03CH37451).