Forgot your password?
typodupeerror
OS X Security Hardware Apple

Apple Laptops Vulnerable To Battery Firmware Hack 272

Posted by Soulskill
from the good-thing-they're-so-easy-to-replace dept.
Trailrunner7 writes "Security researcher Charlie Miller, widely known for his work on Mac OS X and Apple's iOS, has discovered an interesting method that enables him to completely disable the batteries on Apple laptops, making them permanently unusable, and perform a number of other unintended actions. The method, which involves accessing and sending instructions to the chip housed on smart batteries, could also be used for more malicious purposes down the road. Miller discovered the default passwords set on the battery at the factory to change the battery into unsealed mode and developed a method that let him permanently brick the battery as well as read and modify the entire firmware. 'You can read all the firmware, make changes to the code, do whatever you want. And those code changes will survive a reinstall of the OS, so you could imagine writing malware that could hide on the chip on the battery. You'd need a vulnerability in the OS or something that the battery could then attack, though,' Miller said."
This discussion has been archived. No new comments can be posted.

Apple Laptops Vulnerable To Battery Firmware Hack

Comments Filter:
  • Why? (Score:5, Insightful)

    by Qwell (684661) on Friday July 22, 2011 @05:01PM (#36851586)

    In other news - batteries have firmware.

    • Re:Why? (Score:5, Informative)

      by CFD339 (795926) <andrewp.thenorth@com> on Friday July 22, 2011 @05:37PM (#36852106) Homepage Journal

      Lithium Ion batteries are inherently unstable and have to be charged and discharged very carefully. Unlike the old school batteries you'd think of, these batteries have a controller to manage them built in. When that fails, you have big problems (remember the defective ones a few years ago that would just burst into flames?)

      • Don't worry, the Department of Homeland Security will propose that all software developers have to be certified with an engineering like degree which ties back to a federal oath you must take. You will be held accountable but also have job security. Oh, and tuition for proper training will exceed $100,000.

        Wanna code, you gotta be rich. You'll be less likely to be a terrorist anyways right? Oh, and all non-certified programming is illegal punishable as a felony and a trip to prison.

        You think I'm joking? That

    • Re: (Score:3, Interesting)

      by joocemann (1273720)

      In other news - batteries have firmware.

      WHY!!?!?! I echo your sentiment because this is ridiculous.

      1) Why would a device whose purpose is to provide electrical supply have to have firmware, or even some other-than-electrical relationship with the system.
      2) Why would someone permit any communication from the 'firmw'a....

      you know.. I could count out the reasons but its just too frustrating to conceive the stupidity in Apple's choices here.

      THE REASON VULNERABILITIES ARE FOUND/EXPLOITED IS BECAUSE ENGINEERS/DEVELOPERS PERMIT THEM BY POOR DESIGN.

      If t

      • 1) Why would a device whose purpose is to provide electrical supply have to have firmware, or even some other-than-electrical relationship with the system.
        2) Why would someone permit any communication from the 'firmw'a....

        Let's see - so the user could have some idea what the battery charge was? So the user could have some idea what the 'health' of the battery is?

        And notice that Charlie Miller (the hacker) could NOT figure out how to control the computer from the battery. It's possible that with more work he could, but that remains to be seen. Security is ALWAYS a tradeoff between useability. If you're so paranoid, unhook the battery, and run it off the wall wart.

        And loosen the straps on the hat. The tinfoil is eating

        • by rtb61 (674572)

          Let's be more honest it all breaks down to "Government Regulation" vs "Corporate Greed". Corporations as run by psychopathic asshats, will seek every possible method to screw their customers for every possible cent of profit upon a completely amoral or sociopathic basis. Government regulation is then required to force morals onto those corporations in order to get them to treat the customers/voters in a somewhat reasonable fashion.

          I for one think, that being able to remotely program a battery that is cap

      • by rednip (186217)
        It's not like it's a router with a default password, it's a battery wired into the laptop. The fact that it even has a username and password is likely only an unneeded part of the stable code the firmware is based on. Would you expect that every laptop would be shipped with a different default password for it's BATTERY?

        Why would a device whose purpose is to provide electrical supply have to have firmware

        Now you're just trying to re-engineer the battery, what would make you think that you can? While it might seem to be a requirement, simply having a snarky know-it-all attitude doesn't quit

        • Here's the brainstorm you didn't have.... It took me 10 seconds.

          Make access to battery firmware physical, and physical only - requiring specific access port ONLY.

          Make important 'battery related' data that you would want only travel in one direction, to the computer itself. That way the battery operates completely independently, sending electricity, as its main purpose, and its status for your information.

          I knew people with no imagination would tell me its gotta be this way... Good luck with that.

          • by willy_me (212994)

            Make access to battery firmware physical, and physical only - requiring specific access port ONLY.

            So if you worked for Apple would you want to deal with a recall of a million+ laptops? Previously, every other model has required an update. It simply is not practical. Much better to allow the firmware to be updated via software update. If you are worried about a virus being able to go from the battery to the computer then simply make sure the software that communicates with the battery is not filled with bugs. The communication protocols will be simple so it will not be a difficult task. It is not l

            • by Wovel (964431)

              What he said , plus there is no way to compromise the OS through this vector and it is no more likely to be exploited then any other hardware firmware.

            • by Rich0 (548339)

              So you can harm your computer by running malicious code outside of a sandbox. Is this really news to anyone?

              Well, there is a disturbing trend towards an increasing number of hardware components that can be irreversibly damaged by software. 15 years ago there wasn't anything software could do to your computer that couldn't be undone by booting off of a clean floppy and re-installing the OS.

              Fast-forward to today. Now a virus can blast through write cycles on flash chips, permanently destroying them. It can wipe the BIOS, which on many motherboards cannot be recovered without changing chips. It can cycle your DV

            • You're not really going to try, at all, are you? You're talking about what we already know, and ignoring the fact that it is reckless/vulnerable for convenience.

              Meh... you can scan all my other posts on this topic for some inspiration. Real inventors have ideas, and then make it reality -- they don't look at reality and accept it as is.

              All you said was 'change the locks'. That's pretty lame.

    • by yakatz (1176317)
      Firmware [wikipedia.org] in [sbs-forum.org] a [batteryuniversity.com] battery [buchmann.ca]
      Smart batteries are used by Apple [apple.com], Lenovo [lenovo.com], HP/Compaq [hp.com], and other companies.
    • hey, I just 'flashed' my battery.

      is that good or bad?

      and, if I crossflash to another model, can I overclock its volts?

    • by hedley (8715)

      About 20kbytes of code so I was told. The uP has an analogue block called a coulomb counter. There is also some non volatile storage to keep
      track of the # of cycles plus other pertinent facts about that battery pack.

      Progress no? Certainly good for uP vendors since each battery needs one.

      H.

  • So, kudos for looking at the patches and finding the password, but without providing a tool to set the password to something else this is just kinda weak. 'Hai guys, I rooted your battery and you can't do anything about it!'. Clever but not helpful.

  • by MBCook (132727) <foobarsoft@foobarsoft.com> on Friday July 22, 2011 @05:08PM (#36851680) Homepage

    Isn't this sort of like how the Pandora Batteries worked on the PSP? I think they enabled a diagnostic mode as opposed to a direct hack, but the battery being used to corrupt the system thing isn't totally new.

    On the plus side, the hard to replace batteries people complain about make this attack more difficult to perform, instead of just taking a few seconds.

    • Thats a minus, not a plus. A hard to replace battery isn't any harder to hack, its just harder to fix.
      • by gl4ss (559668)

        Thats a minus, not a plus. A hard to replace battery isn't any harder to hack, its just harder to fix.

        he was thinking of using it to hack a laptop you've gained access to.

        • by MBCook (132727)

          Right. What I meant was that with an older MacBook Pro where you could just pop the battery out and pop a new one it, it would be easy to gain access to my laptop on my desk if I'm away for just a few minutes. With the newer MBPs, you'd have to remove the bottom case (8 torx screws?), unplug the battery cable, swap batteries, plug the new cable in, put the bottom back on, and put the screws back in... all before I walked by my desk and noticed.

          As an end-user, yeah, it's a little annoying. But in this one r

  • by JoeWalsh (32530) on Friday July 22, 2011 @05:08PM (#36851684)

    I don't have to worry about that. Not only am I using a Dell, but my battery exploded.

    • by _xeno_ (155264)

      Not only am I using a Dell, but my battery exploded.

      Don't worry, Apple laptop batteries do that too.

      I'm already on my second Apple laptop battery after the first one bulged to the point it no longer fit within the laptop case. Thankfully I'm using the "old" MacBook: the one where you can replace the battery and hard drive on it, both things you can't do with the new ones.

      Which makes me think that somehow I might be staying away from the new "sealed" MacBooks with the unreplaceable batteries, especially because searching for "bulging battery" [google.com] brings up nothin

      • Re:No worries here (Score:4, Informative)

        by jittles (1613415) on Friday July 22, 2011 @05:42PM (#36852162)
        Actually, it's not terribly hard to remove the batteries on the 2011 Macbook pros. Not something you could do easily on a plane, or in the car, but you can definitely do so with just two screwdrivers. Or one screwdriver with a replaceable bit.
        • by Dice (109560)

          Not terribly hard compared to what?

          You know how I remove the battery on my Thinkpad? I slide the clasp into the unlocked position then slide the battery out. Same for the DVD drive (although I don't know who swaps theirs out, there doesn't appear to be an option to put a second battery there).

          I can also use one screwdriver, a phillips, to replace the hard drive, memory, wireless card, keyboard, CPU, video card, etc.

        • by mjwx (966435)

          Actually, it's not terribly hard to remove the batteries on the 2011 Macbook pros. Not something you could do easily on a plane, or in the car, but you can definitely do so with just two screwdrivers. Or one screwdriver with a replaceable bit.

          You've missed the point.

          It's harder then it should be. Dell, Lenovo and HP sell more laptops to enterprises in a day then Apple do in a year because they have better support and are better designed. If a Dell breaks at my workplace, all I do is move the HDD into a similar model, it's literally a two minute operation because Dell know the HDD is one of the parts that is more readily changed/serviced by the user. RAM and batteries also fall into this category.

          If my boss takes a 12 hour flight to Europe,

      • You'd better be careful with all those facts. Slashdot mods might mod you 'troll'.

      • by willy_me (212994)

        Which makes me think that somehow I might be staying away from the new "sealed" MacBooks with the unreplaceable batteries, especially because searching for "bulging battery" brings up nothing but horror stories about Apple batteries. Apparently they've had this problem for over five years and have never bothered fixing it.

        The batteries used in the laptops today are completely different from the removable ones. They used to contract out for batteries, I believe to Sony but there were likely others involved as well. Now they build their own batteries. A huge investment on their part and likely the reason why it took 5 years to fix the problem. Current batteries are Li-Pol based and are far more durable then the Li-Ion batteries used on cheaper laptops. These batteries appear to be free of the "bulge" defects that effecte

      • by russotto (537200)

        Which makes me think that somehow I might be staying away from the new "sealed" MacBooks with the unreplaceable batteries, especially because searching for "bulging battery" brings up nothing but horror stories about Apple batteries. Apparently they've had this problem for over five years and have never bothered fixing it.

        The bulging is a symptom, not a problem. A lot of problems with lithium-polymer cells will cause them to swell up. Overheat them, they swell. Short them, they swell. Overcharge them (w

  • by davidwr (791652) on Friday July 22, 2011 @05:19PM (#36851812) Homepage Journal

    This is just one more reason why software that's not designed to be frequently changed should be write-protected unless the user sets a specific hardware switch.

    If the hardware switch is in its default location - "protect" - it should be mathematically provable that the firmware cannot be overwritten.

    • by gmuslera (3436) *
      Writable firmware/BIOS, can turn vulnerabilities into nightmares [serverwatch.com]. You don't have to write complex replacement firmware, just be able to write garbage there and turn millons of computers,cellphones network/gfx cards and so on into paperweights.
  • Most firmware flashing requires the root password to perform, so I'm assuming that unless you're talking about removing the battery from the computer. So at least authentication is required for this, which lessens the threat considerably.

    However, this is a very interesting angle. I can somewhat see where there's a password required for access, but it's more to keep the battery secure than the computer. Or possibly to prevent cycle-count tampering to get around warranty claims on consumed batteries that a

    • by gl4ss (559668)

      in the modern world, that actually is news. I got plenty of devices with non upgradeable firmware(though the company that sold 'em originally could update)

  • by ae1294 (1547521) on Friday July 22, 2011 @05:43PM (#36852188) Journal

    So does anyone know if the firmware can be upgraded to cause the battery to burst into fames? That would be funny and probably not covered by the apple warranty.

    • FTA:

      "I started out thinking I wanted to see if a bad guy could make your laptop blow up. But that didn't happen," he said. "There are all kinds of things engineers build into these batteries to make them safe, and this is just one of them. I don't know if you could really melt the thing down."

  • I used to work on 'network management' and the NMS systems would drill down and do queries on the equipment in the rack. equipment usually would support an 'environmental' data set that includes dynamic info (volts, current, fan-flow, temperature) but also static info (serial #, vendor #, batch #, pcb version, firmware version). its useful to have that.

    I learned from experience that the closer to the device this info lives, the better. there can be multiple NMSs that walk the network or poll devices. if

    • by kybred (795293)

      ... now pany batteries are chipped. 'for your protection' but they are authentication chipped for vendor lock-in (or lock-out, depending on POV).

      Sometime 'for your protection' really means for your protection. If you put some cheap knock-off battery in the device, maybe it has different charge characteristics and the device will over-charge it, which can cause all kinds of problems.

      • by Rich0 (548339)

        Or, maybe it works just fine but it undercuts the vendor's market.

        I'm not a big fan of protecting consumers from themselves, or vendors from competition.

        And, why can't we just have standard-size batteries anyway? That and standard size oil filters while we're at it...

    • by Nethead (1563)

      Thank the imaginary friend that SNMP didn't report the status of every spit-jet cartridge!

  • by pbjones (315127) on Friday July 22, 2011 @07:01PM (#36853042)

    If it's a problem at Apple then it's a problem with a number of other hardware devices that use the same battery controllers, so your windoze laptops isn't safe either. Someone could also hack my Logitech Mouse and brick it too, or any number of peripherals that have upgradeable firmware, like my router, printer, keyboard, the list goes on.

  • Remove batteries from Apple laptops when reimaging them (until after all patches are applied). Sigh. And here I thought it was just the Apple keyboards which were a potential malware nest.
  • Decades old news (Score:4, Insightful)

    by pbjones (315127) on Friday July 22, 2011 @07:12PM (#36853120)

    BTW, Apple batteries have had firmware for the last 10-15 years, so your info is a little late.

  • One of the problems with LiON cells is that the logic controller can get the wrong impression about the state of the cell it is controlling. (This is for various reasons, but the most common is that it uses a function of charge/discharge time, and voltage output per cell to determine if the cell is bad or not.)

    Some charging solutions "Pulse charge" a cell to bring the voltage back up to the point where the charge logic will turn the cell back on again, but this is dangerous because the pulsing can make lith

  • It wasn't mentioned in the article, but I'm curious whether this is a custom-for-Apple microcontroller/firmware, or one of the several off-the-shelf battery authentication ICs [google.com] currently on the market. Firmware on a battery is not entirely suprising - charge management, capacity counting, authentication and various safety checks can be cheaply integrated that way, and a little serial bootloader onboard for emergency bugfixes is a "why-not" feature. In the case of authentication, some manufacturers are now us

  • After Windowsupdate.com, now it will be Batteryupdate.com.

    Somewhere in a basement in Guangdong or Beijing, keyboards are already at work to create a new Blaster.

  • One of the other problems is that Apple is running BSD in there instead of Linux so they wouldn't have to worry about GPL :-)

The generation of random numbers is too important to be left to chance.

Working...