Apple laptop batteries can be hacked to infect the laptop with malware, or possibly even rigged to explode, a well-known security researcher has found.
All modern laptop batteries have logic chips inside them that communicate with the computer they’re powering. That’s how you’re able to see how much charge is remaining. The chips also carry out regulatory tasks, such as shutting down the charging process when a battery’s at risk of overcharging.
But any logic chip has operating software — “firmware” — and that software can usually be remotely updated.
Charlie Miller, who’s famous for winning the annual Pwn2Own contest four times with his Mac OS X and iOS exploits, discovered that Apple puts the same password on all its laptop batteries in order to efficiently send out battery firmware updates.
Unfortunately, a skilled malicious hacker armed with the password could alter the firmware, Miller says. Altered firmware could be used to store malware or tweaked to damage the computer.
“These batteries just aren’t designed with the idea that people will mess with them,” Miller told Forbes tech blogger Andy Greenberg. “What I’m showing is that it’s possible to use them to do something really bad.”
Miller will be presenting his finding at next week’s Black Hat security conference in Las Vegas. He has already notified Apple of the vulnerability, and is not revealing the password.
Digging into source code
Miller, who formerly was with the National Security Agency and currently works for Denver security firm Accuvant Labs, was intrigued by a 2009 firmware update that Apple had sent out to fix a problem with MacBook batteries.
He analyzed the code for the update, found an administrative password and then noticed it applied to all models of Apple battery. This isn’t unusual — the iPhone, iPad and iPod Touch also share a default, and easily Googled, administrative password.
Miller reverse-engineered the Apple battery firmware (“bricking,” or permanently damaging, seven of the $130 batteries in the process) and discovered how to alter it to send false readings to the laptop user, to damage the battery or even to serve as a hidden repository for malware.
“You could put a whole hard drive in, reinstall the software, flash the BIOS and every time it would re-attack and screw you over,” Miller told Greenberg. “There would be no way to eradicate or detect it other than removing the battery.”
The greater problem
Could the firmware be rigged to make the battery explode? Miller found that the Apple batteries had built-in fuses to prevent serious overheating, but there’s no guarantee counterfeit batteries would have such safeguards.
Miller has written a patch — he’s calling it “Caulkgun” — for the Apple battery vulnerability and will release it at Black Hat.
The downside is that Caulkgun will prevent future firmware updates. Nor will it do anything to solve the greater problem, because this vulnerability is not confined to Apple laptop batteries.
Most computer accessories and parts — hard drives, optical drives, graphics cards and network cards, for example — use firmware-upgradable logic chips. Most have enough memory space to house a small piece of malware.
It’s likely that most items in each category from a particular brand use the same administrative password.
For malicious hackers, it’s just a matter of finding out what those passwords are.