At the upcoming Black Hat security conference, a security researcher will demonstrate how he hacked the chips in laptop batteries to corrupt them beyond repair.
Charles Miller, a principal research consultant at Accuvant Labs, was able to take over chips inside the batteries powering several of Apple’s popular laptop brands and “brick” them. Miller is widely known for his work on Mac OS X and Apple’s iOS vulnerabilities.
As a result, Miller can overwrite battery management firmware to completely disable the batteries on Apple laptops to the point that the computer no longer recognizes them as valid battery units. At this point, his method can be used to launch attacks that are more of a costly annoyance than threat to data on the machines. Malicious attackers will have to do some more work to create malware that can use the batteries as an attack vector to infect the actual machine itself, Miller said.
“What I’m showing is that it’s possible to use them to do something really bad,” Miller told Forbes.
Most modern laptop batteries come with a microcontroller that monitors the power level of the unit and sends the information to the operating system so that it can keep track of the amount of charge left. The battery also relies on the chip to know when to stop recharging and to regulate how hot it gets during operation.
Miller examined MacBooks, MacBook Pros and MacBook Airs, and found that many of the batteries on those units had a 4-byte default password hard-coded on the microchips inside and a second password to give full access to the hardware firmware. With the two default passwords in hand, the perpetrator could rewrite the chips’ firmware. Miller discovered the passwords after analyzing a software update from 2009 from Apple that addressed an issue with MacBook batteries. He was able to reverse-engineer the chip’s firmware and modify the power information it sent to the operating system. He was also able to rewrite the firmware.
The ability to access and send instructions to the chip could be used by other attackers for malicious purposes, such as preloading malware on to the chip, according to Miller. Once the attacker figures out a way to go from the battery to the operating system, battery-based malware could be used to infect the computer and steal data, take control of the laptop or cause it to crash whenever it was in operation, Miller said.
When faced with this kind of malware, IT administrators and users will wipe the hard drive, reinstall software and reinstall the BIOS firmware, but not think to check the battery’s firmware, according to Miller. “Every time it would reattack and screw you over,” Miller said, noting the only way to eradicate or detect it would be by removing the battery.
“These batteries just aren’t designed with the idea that people will mess with them,” Miller said.
On Aug. 4, the second day of the Black Hat conference in Las Vegas, Miller will demonstrate his hack and release a fix, “Caulkgun,” to address the issue. He said he had already shared his research with Apple and Texas Instruments.
The Caulkgun program Miller will release would change the battery firmware’s passwords to a random string so that it would no longer be the default password. Installing this program would also mean that if Apple decides to roll out an update in the future to fix battery issues, that update would fail.
The hard-coded default password has long been a problem, as there are a number of devices that ship from the factory with passwords that can’t be changed. Stuxnet compromised the centrifuges at Iran’s nuclear facility in 2010 by using the default password assigned to all logical controllers from Siemens.
While Miller’s research seems to indicate that malware authors can target batteries next, it is not a bigger threat than any other possible hardware-based attacks, according to Paul Ducklin, Sophos’ head of technology for the Asia-Pacific region. Apple laptop batteries are not the new attack vector any more than “any other hardware in your system with field-updatable firmware,” such as the motherboard, wireless card, graphics device and others, Ducklin wrote on the company’s NakedSecurity blog
Ducklin also noted that malicious authors have re-written firmware on hardware devices in the past. In the late 1990s, there was a virus named CIH, or Chernobyl, which re-flashed the BIOS on infected systems on April 26, causing the machine to hang. “No malware ever appeared in the wild to do more than simply ‘brick’ an affected PC’s BIOS,” Ducklin said, noting that most personal computer BIOSes still aren’t protected from this kind of attack.