Follow me on Twitter and on Facebook
Earlier, we reported on a battery charger that could infect your Windows PC. Now, a security researcher has discovered a way to “infect” the batteries, or rather, the chips that control the batteries, of MacBooks.
Laptop batteries have a microcontroller. That chip allows lithium-ion batteries to regulate their own heat (and hopefully keep from exploding or catching fire, right?) and to know when to stop charging, even if the laptop itself isn’t on. The chip also allows the OS and charger to monitor the battery.
What Accuvant security researcher Charlie Miller discovered, and what he plans to present at the Black Hat security conference in August, is a way to hack into the microcontroller in Apple laptop batteries. It turns out that the chips in the batteries not only contain firmware that can be altered, they ship with one of two default passwords. With those passwords, anyone could rewrite the firmware to do whatever they want.
It’s possible, Miller discovered, to write the firmware in such a way as to brick the battery. In fact, Miller posited, it’s possible to write the firmware in such a way as to infect a laptop with malware. IT administrators, not used to thinking of a battery as the vector for malware, could re-image a laptop, only to find it infected again.
That sort of attack would require a vulnerability in the interface between the microcontroller and the operating system, which Miller said may not be much of a problem. “Presumably Apple has never considered that as an attack vector, so it’s very possible it’s vulnerable,” he said.
Although Miller found a vulnerability, he also found a fix. At the Black Hat conference, he plans to release a tool called “Caukgun” that changes the microcontroller firmware’s passwords to a random string. He also sent Apple his research so that they would be aware of the vulnerability.
One drawback to randomizing the password, however, is that with the password changed, Apple wouldn’t be able to reprogram the firmware in the battery in the event of an issue. For example, if Apple discovered some sort of bug that caused overheating, one which could be fixed via a firmware upgrade, they wouldn’t be able to execute that fix on any batteries that have had the password modified.
That’s a negative to Miller’s fix, but it’s up to a user to determine just how big a negative it is. After all, Apple has released firmware updates before for their laptop batteries, and they could do so in the future, as well.
How big is this vulnerability? It’s hard to say. Miller said, “No one has ever thought of this as a security boundary. It’s hard to know for sure everything someone could do with this.”