Apple Laptops Vulnerable To Battery Firmware Hack

Trailrunner7 writes "Security researcher Charlie Miller, widely known for his work on Mac OS X and Apple's iOS, has discovered an interesting method that enables him to completely disable the batteries on Apple laptops, making them permanently unusable, and perform a number of other unintended actions. The method, which involves accessing and sending instructions to the chip housed on smart batteries, could also be used for more malicious purposes down the road. Miller discovered the default passwords set on the battery at the factory to change the battery into unsealed mode and developed a method that let him permanently brick the battery as well as read and modify the entire firmware. 'You can read all the firmware, make changes to the code, do whatever you want. And those code changes will survive a reinstall of the OS, so you could imagine writing malware that could hide on the chip on the battery. You'd need a vulnerability in the OS or something that the battery could then attack, though,' Miller said."

Re:Physical access?

[SomePgmr]

I only skimmed it, but it doesn't seem to say if he needed physical access to the battery to do this. Obviously the two must communicate (on-battery and OS), but it doesn't say if access was achieved on an in-use battery from the host machine.

Obviously this is important, because it changes the attack vector significantly. There's a big difference between being vulnerable to the battery manufacturer or if a random infection could push code to the battery (or even brick it).

Re:Why?

[joocemann]

In other news - batteries have firmware.

WHY!!?!?! I echo your sentiment because this is ridiculous.

1) Why would a device whose purpose is to provide electrical supply have to have firmware, or even some other-than-electrical relationship with the system.
2) Why would someone permit any communication from the 'firmw'a....

you know.. I could count out the reasons but its just too frustrating to conceive the stupidity in Apple's choices here.

THE REASON VULNERABILITIES ARE FOUND/EXPLOITED IS BECAUSE ENGINEERS/DEVELOPERS PERMIT THEM BY POOR DESIGN.

If the target pathway of the attack was not open or existent, it could not occur. This is the absolute logic of the situation. In nearly all cases, if there is no backdoor you cannot open it. The people making software and hardware need to be thinking about how to achieve goals without opening doors. They should be considering the involvement of absolute hardware protection on the PHYSICAL level, possibly even involving analog technology, that mediates security. I know a bunch of shortsighted CS people will reply with their lack of brainstorming answers, telling me its not possible... The winner being the one who can make it possible.

Re:Why?

[bughunter]

I had a similar problem with a macbook pro battery I bought in Jan 2010. By Jan 2011, it would barely hold 30 minutes of operating energy, and reported a health of 15%. The number of cycles reported was 49. Not a typo. Forty-nine.

No amount of "calibrating" the battery nor resetting the EPS would change this. I had to fork out $129 for a new battery. As it turns out, leaving the damn thing plugged in all the time and never draining the charge severely shortens the life of the cells.

Lesson: run the thing from the battery every once in a while.