Monday, July 25, 2011

Apple Laptop Hack Disables Batteries, Researcher to Show How at Black Hat

At the upcoming Black Hat security conference, a security researcher will demonstrate how he hacked the chips in laptop batteries to corrupt them beyond repair.

Charles Miller, a principal research consultant at Accuvant Labs, was able to take over chips inside the batteries powering several of Apple's popular laptop brands and "brick" them. Miller is widely known for his work on Mac OS X and Apple's iOS vulnerabilities.

As a result, Miller can overwrite battery management firmware to completely disable the batteries on Apple laptops to the point that the computer no longer recognizes them as valid battery units. At this point, his method can be used to launch attacks that are more of a costly annoyance than threat to data on the machines. Malicious attackers will have to do some more work to create malware that can use the batteries as an attack vector to infect the actual machine itself, Miller said.

A security researcher claims to have found a new security flaw in Apple laptops that could allow hackers to ruin laptop batteries, infect them with malware or potentially cause them to overheat and catch fire.

Charlie Miller, principal research consultant at Accuvant Labs, said he has found a way to manipulate chips embedded inside Apple laptop batteries.

The chip monitors the battery's temperature and level of charge, among other things. Those chips can be remotely controlled by hackers using a default password that Miller found on a website of the chip's creator, Texas Instruments. Apple never changed the default password, Miller said.

Miller's discovery, first reported by, is the latest potential security flaw found in Apple's product line. Earlier this month, security experts disclosed a bug in Apple's iOS operating system that could allow criminal hackers to gain remote access to iPhones, iPads and iPod Touch devices, Reuters reported. Apple said it is fixing that issue in an upcoming software update.

At the very least, Miller found he could ruin laptop batteries by altering the chip's code. Not wanting to set his home on fire, Miller stopped there. But he imagines darker possibilities for hackers if Apple does not fix the security flaw.

"I have full access to the battery and I can make any changes I want," Miller told The Huffington Post.

For example, hackers could install malware on the battery that would not be detected by anti-virus software because it would not appear on the hard drive, he said. The malware could attack the laptop's operating system again and again, even after the user installed a new hard drive.

“What I’m showing is that it’s possible to use them to do something really bad,” Miller told Forbes.

Most modern laptop batteries come with a microcontroller that monitors the power level of the unit and sends the information to the operating system so that it can keep track of the amount of charge left. The battery also relies on the chip to know when to stop recharging and to regulate how hot it gets during operation.

Miller examined MacBooks, MacBook Pros and MacBook Airs, and found that many of the batteries on those units had a 4-byte default password hard-coded on the microchips inside and a second password to give full access to the hardware firmware. With the two default passwords in hand, the perpetrator could rewrite the chips' firmware. Miller discovered the passwords after analyzing a software update from 2009 from Apple that addressed an issue with MacBook batteries. He was able to reverse-engineer the chip's firmware and modify the power information it sent to the operating system. He was also able to rewrite the firmware.

The ability to access and send instructions to the chip could be used by other attackers for malicious purposes, such as preloading malware on to the chip, according to Miller. Once the attacker figures out a way to go from the battery to the operating system, battery-based malware could be used to infect the computer and steal data, take control of the laptop or cause it to crash whenever it was in operation, Miller said.

"The battery would keep attacking it," he said.

Miller, a former security researcher for the National Security Agency, said it's possible that Apple has taken extra security measures to prevent that from happening, or worse, causing a battery to overheat and catch fire. He said he reported his findings to Apple but did not hear back.

An Apple spokeswoman did not return a call for comment.

Since his discovery, Miller said he has received some criticism.

"People thought maybe I had blown up batteries, but I haven't blown up anything," he said. "It's a step in that direction, but I don’t really know what all the implications are."

Miller said he wrote a paper on the security flaw that he plans to present at the Black Hat security conference in August in Las Vegas, where he also plans to unveil a solution called a "Caulkgun" that changes the battery's default password.

While the security flaw presents a potential danger, Miller said most users should not be overly concerned about a hacker taking over their laptop battery.

"It's really only for people who are very paranoid," he said.

When faced with this kind of malware, IT administrators and users will wipe the hard drive, reinstall software and reinstall the BIOS firmware, but not think to check the battery's firmware, according to Miller. "Every time it would reattack and screw you over," Miller said, noting the only way to eradicate or detect it would be by removing the battery.

“These batteries just aren’t designed with the idea that people will mess with them,” Miller said.

On Aug. 4, the second day of the Black Hat conference in Las Vegas, Miller will demonstrate his hack and release a fix, "Caulkgun," to address the issue. He said he had already shared his research with Apple and Texas Instruments.

The Caulkgun program Miller will release would change the battery firmware’s passwords to a random string so that it would no longer be the default password. Installing this program would also mean that if Apple decides to roll out an update in the future to fix battery issues, that update would fail.

The hard-coded default password has long been a problem, as there are a number of devices that ship from the factory with passwords that can't be changed. Stuxnet compromised the centrifuges at Iran's nuclear facility in 2010 by using the default password assigned to all logical controllers from Siemens.

While Miller's research seems to indicate that malware authors can target batteries next, it is not a bigger threat than any other possible hardware-based attacks, according to Paul Ducklin, Sophos' head of technology for the Asia-Pacific region. Apple laptop batteries are not the new attack vector any more than "any other hardware in your system with field-updatable firmware," such as the motherboard, wireless card, graphics device and others, Ducklin wrote on the company's NakedSecurity blog

Ducklin also noted that malicious authors have re-written firmware on hardware devices in the past. In the late 1990s, there was a virus named CIH, or Chernobyl, which re-flashed the BIOS on infected systems on April 26, causing the machine to hang. "No malware ever appeared in the wild to do more than simply 'brick' an affected PC's BIOS," Ducklin said, noting that most personal computer BIOSes still aren't protected from this kind of attack.

No comments:

Post a Comment

Related Posts Plugin for WordPress, Blogger...