Charlie Miller finds security flaw in Apple’s notebook batteries

Tue, Jul 26, 2011


Apple doesn’t want users tinkering with or even removing their notebook batter, but an overlooked security flaw might give hackers access to a machine’s battery, giving them the ability to wreak all sorts of havoc on a user’s laptop.

The security flaw was discovered by security researcher Charlier Miller (shocker) who plans to explain the exploit at this year’s upcoming Black Hat security conference in Las Vegas. If Miller sounds familiar, it’s because he’s the same guy who previously discovered a nifty iPhone SMS exploit whereby a hacker could remotely take over any iPhone by sending it a single character via a text message.

In any event, here’s what we know about Miller’s latest work.

Upon examining a number of batteries from a number of varying MacBook models, Miller found that the microcontroller was equipped with a default password, leaving them open to exploitation. Hackers could potentially destroy a user’s battery at will, perhaps cause it to catch on fire, and even install malware that would be immune to anti-virus software.

Modern laptop batteries contain a microcontroller that monitors the power level of the unit, allowing the operating system and the charger to check on the battery’s charge and respond accordingly. That embedded chip means the lithium ion batteries can know when to stop charging even when the computer is powered off, and can regulate their own heat for safety purposes.

“These batteries just aren’t designed with the idea that people will mess with them,” Miller explained. “What I’m showing is that it’s possible to use them to do something really bad.”

Thankfully one of the good guys, Miller, who formerly worked for the NSA, plans to release a tool called “Caulkgun” that would change the default password on a battery’s firmware to a random string of characters. Miller, however, notes that this would prevent users from installing Apple’s own updates so keep that in mind.

Lastly, Miller contacted both Apple and Texas  Instruments (which manufacturers the controller) to make them abreast of his research.

In light of Miller’s findings, some are relying on hyperbole to perhaps make the situation appear more threatening than it really is. To that end, a user comment from the original article tries to put things in perspective.

Wow, talk about making a mountain out of a molehill. This article is full of “maybe” and “possible” and “you read stories about…”. Is it possible to explode a battery by tampering with its firmware? Maybe, but no one has proven it.

And hiding a virus in the battery firmware? On a clean system, how would you get that virus to upload into the OS? Seems like you’d need participation on both sides and I don’t think a clean OS is going to ask the battery to upload its contents.

And how is this a security threat at all? How does one access the battery firmware? Certainly this does not show a web page exploit or anything so dangerous. And there’s not even any proof that if someone were foolish enough to download an infected app and run it that anything at all bad could result.

All the researcher has done is to show that he can use a piece of software to overwrite the battery firmware. I can destroy a battery much quicker with an electric drill.

The researcher has done a good job in discovering a potential weakness in the software stack. I’m sure Apple and other manufacturers will correct the problem in the future. But to characterize Macs as being “vulnerable to attack” because of this is a pretty big overstatement.

via Forbes



Comments are closed.

eXTReMe Tracker