VoltSchemer: Use Voltage Noise to Manipulate Your Wireless Charger

TL;DR

VoltSchemer identifies and exploits a vulnerability in Qi wireless charging where low-frequency voltage noise from the power supply can modulate the charger’s power signal, enabling attacker control without modifying the charger hardware. The authors formalize adapter-to-load and load-to-adapter propagation models and demonstrate three practical attacks—voice-assistant manipulation, Qi-message injection, and eavesdropping—across 9 commercial chargers, including demonstrations of wireless power toasting and foreign-object destruction. By injecting controlled EMI with parameters $m_i$ and $f_i$, VoltSchemer can cause misbehavior in in-band Qi communications and safety features, potentially bypassing FOD and End Power Transfer protocols. They propose countermeasures (e.g., DC-DC input filtering achieving at least ~15 dB noise attenuation at low frequencies and real-time bus monitoring) while acknowledging trade-offs in cost, size, and efficiency. The work underscores significant practical risks to consumer devices and charging infrastructure, prompting a reexamination of EMI robustness in wireless charging systems and broader implications for adjacent domains like EV wireless charging.

Abstract

Wireless charging is becoming an increasingly popular charging solution in portable electronic products for a more convenient and safer charging experience than conventional wired charging. However, our research identified new vulnerabilities in wireless charging systems, making them susceptible to intentional electromagnetic interference. These vulnerabilities facilitate a set of novel attack vectors, enabling adversaries to manipulate the charger and perform a series of attacks. In this paper, we propose VoltSchemer, a set of innovative attacks that grant attackers control over commercial-off-the-shelf wireless chargers merely by modulating the voltage from the power supply. These attacks represent the first of its kind, exploiting voltage noises from the power supply to manipulate wireless chargers without necessitating any malicious modifications to the chargers themselves. The significant threats imposed by VoltSchemer are substantiated by three practical attacks, where a charger can be manipulated to: control voice assistants via inaudible voice commands, damage devices being charged through overcharging or overheating, and bypass Qi-standard specified foreign-object-detection mechanism to damage valuable items exposed to intense magnetic fields. We demonstrate the effectiveness and practicality of the VoltSchemer attacks with successful attacks on 9 top-selling COTS wireless chargers. Furthermore, we discuss the security implications of our findings and suggest possible countermeasures to mitigate potential threats.

Figures (21)

• Figure 1: Overview of Wireless Charging System
• Figure 2: Attack overview: A victim uses Commercial-Off-The-Shelf Qi-compatible wireless chargers and power receivers. An intermediary-connected attacking device on the power adapter manipulates the output voltage and current to: 1) manipulate the magnetic field to interfere with the charged device. 2) interactively communicate with the charger and control the charging process. This setup enables foreign object destruction, wireless power toasting, and voice assistant manipulation attacks.
• Figure 3: The schematic of a wireless charging system
• Figure 4: Circuit model to analyze the impact of power adapter's output voltage $v_{ad}$ on bus voltage $v_{bus}$
• Figure 5: DC-AC inverter schematic