Software Development optimize

Attack of the Apple laptop battery: Vulnerability could be used to install malware

A security researcher has uncovered a potentially serious vulnerability in Apple laptop batteries that could result in altering the firmware, allowing a malicious cracker to plant malware.

The new MacBook Airs have arrived to some rave reviews, but here's a scary thought: a security researcher says that Apple's laptop batteries are vulnerable to potential attacks that could plant malware or even be rigged to damage the laptop. The researcher in question is Charlie Miller, who has won the annual Pwn2Own contest four times with his Mac OS X and iOS exploits, so he knows what he's talking about.

Miller found that Apple gives the same password to the logic chip that allows Apple to send out battery firmware updates. The problem is that this opens the door for malicious crackers who could potentially alter that firmware and do a lot of mischief. Here's the scoop from the Security News Daily:

Miller reverse-engineered the Apple battery firmware ("bricking," or permanently damaging, seven of the $130 batteries in the process) and discovered how to alter it to send false readings to the laptop user, to damage the battery or even to serve as a hidden repository for malware.

"You could put a whole hard drive in, reinstall the software, flash the BIOS and every time it would re-attack and screw you over," Miller told Greenberg. "There would be no way to eradicate or detect it other than removing the battery."

Miller has reportedly notified Apple and plans to present his findings at the upcoming Black Hat security conference in Las Vegas (August 3 - 4, 2011).

Related:

About

Selena has been at TechRepublic since 2002. She is currently a Senior Editor with a background in technical writing, editing, and research. She edits Data Center, Linux and Open Source, Apple in the Enterprise, The Enterprise Cloud, Web Designer, and...

36 comments
ed34222
ed34222

Apple fixes nearly all their vulnerabilities, before exploits show up in the wild. Microsoft generally reacts after that fact; as, they have too many holes to deal with it any other way. That's why nearly every major Windows PC has an AV running on it; and, almost no macs do, except in their Windows VM sessions (for Mac folks running windows apps). Apple will probably have changed the password(s) on the batteries before this hack gets published.

pgit
pgit

A vulnerability has been discovered in wooden clubs. A malicious hacker could insert it into moist soil, causing it to take root and sprout, rendering the club useless for obtaining food or defending against saber tooth cats. Users are advised to keep their clubs with them inside their caves at all times. Nobody is safe anywhere.

Slayer_
Slayer_

If not, I predict the usual, "this is not a vulnerability, its a feature" "Your using(or holding) it wrong" "There is no problem" "There is no problem (but in a few weeks, send an update to correct this anyways)"

Cmd_Line_Dino
Cmd_Line_Dino

from the article in Security News Daily... "Miller found that the Apple batteries had built-in fuses to prevent serious overheating, but there's no guarantee counterfeit batteries would have such safeguards." and "...this vulnerability is not confined to Apple laptop batteries." Seems that Apple did one thing right (fuses) and that other vendors have the same risk of battery "hackage"

Tony Hopkinson
Tony Hopkinson

I mean no one knows about the vulnerability.... These boys (not just Apple) keep making the same mistake time and time again.

JJFitz
JJFitz

The battery is not easily user replaceable. Thank you sir! May I have another?

Gis Bun
Gis Bun

Typical Apple. Not changing the default password. As if not changing [officially] the battery was bad enough. Can you imagine blowing the battery? Not only to pay for the battery [and I'm sure the "Apple Tax"] but to get the laptop serviced just to replace the battery [assuming no other damage] - in comparison to Dell, HP, Toshiba, Lenovo and others which doesn't require s any servicing [assuming nothing else is damaged].

Spitfire_Sysop
Spitfire_Sysop

Why does the battery contain any information at all? Apple is so strange...

pgit
pgit

Is it really the whole sky, or just an apple? ;)

Charles Bundy
Charles Bundy

Microsoft has a really solid defense strategy and ecosystem because it has evolved over time. Apple is just crawling out of the primordial soup with respect to security posture. Don't get me wrong I like Apple products but they could learn some hard fought lessons from Redmond...

Slayer_
Slayer_

And actualy the key difference is, Microsoft ignores the vulnerabilities until they are serious, Apple pretends they aren't any vulnerabilities and never fixes them until it draws bad media attention. Oh wait, the two are pretty much the same then, both only fix problems when the media forces them too. Maddox said it best... http://www.thebestpageintheuniverse.net/c.cgi?u=macs_cant

Slayer_
Slayer_

With the apple logo carved into them, the rest just snap in half when you try and press them into the ground.

Charles Bundy
Charles Bundy

A built in fuse during the purposeful hack of a chemical thermal runaway?

Tony Hopkinson
Tony Hopkinson

So if I stick to only apple batteries, when I'm hacked the fuse will blow. I'll still have have my lap to stick another top in and order a new battery.... Course I won't be able to pay for it as I've no money and a crap credit rating....

Slayer_
Slayer_

Which I assume is a much more difficult task. Apparently MacOS is just an open book for exploits. Reminds me of back when we owned a snowmobile/tractor/quad dealership. The keys for all of them were more for show then anything else. You could start a sled by opening the hood and unplugging the key. You could start a tractor with a screwdriver in the keyhole (and we usually did, was easier than keeping track of keys) And you could start a quad by popping off the seat and placing a wrench across the connections. But it has a key, that must make it secure right?

Charles Bundy
Charles Bundy

The first clamshell laptop I ever saw was an Apple we had one literally catch fire in a lab. And I'm pretty sure that was a NiMH battery. The Li-ion pack can have thermal runaway to the point of explosion. E.g., marginal safe temp on a fast charge cycle is 300 degrees F. I don't know what it would be in a thermal runaway situation.

Slayer_
Slayer_

...battery to the operating system. This should be considered a terrorist issue, do not allow Apple laptops on airplanes, they could be remotely detonated.

Charles Bundy
Charles Bundy

As Blackhat 2011 security experts are saying the same thing this week...

JJFitz
JJFitz

devolve into Microsoft versus Apple by the 25th post. You know that. :)

Cmd_Line_Dino
Cmd_Line_Dino

It's a battery not some CIA clandestine weapon. Yes in 2006 there were incidents of fire and exploding but much has changed since then. Like the aviation industry where accidents lead to safety improvements. Some of the required safety features required in each cell... shut-down separator (for overtemperature) tear-away tab (for internal pressure) vent (pressure relief) thermal interrupt (overcurrent/overcharging) On the other hand an actual demonstration of just what modified firmware can do ... Perhaps Miller will do that.

Cmd_Line_Dino
Cmd_Line_Dino

Or perhaps swapping in an already infected battery. Something the average user can't do on a MacBook Air (thanks to Apple's greedy, dictatorial, who-cares-about-the-user design that makes battery replacement a service call)

Charles Bundy
Charles Bundy

Is an embedded processor with A/D and EEPROM storage. Its purpose in life is to be a BMS, but obviously with a few variable changes (e.g., min/max voltage and temperature) one can turn the thing into something akin to thermite. Not certain how much EEPROM is inboard but it could certainly be enough to deliver a bootstrap payload to the OS assuming there are vulnerabilities in the code that reads data from the MCU.

pgit
pgit

I "plussed" ya back to zero... I'm guessing maybe there's an apple fan (dare I say iTard?) that routinely votes down anything that mentions "apple(s)" that is either critical or that they don't understand.

Charles Bundy
Charles Bundy

The reason. Because need dictates form and function. A BMS requires updates. Following your logic you don't need an embedded processor either, but how practical is that based on the need?

Cmd_Line_Dino
Cmd_Line_Dino

Even though as you say "it's a MCU which is basically a self contained computer (processor,memory and I/O)" It's firmware i.e. program could still be on a rom preventing malware. But in today's world of fast to market and fix the bugs as found by the consumer the ability to update is mandatory. The reason Miller discovered the battery password issue was that he was curious about an Apple update to his battery firmware. Seems that "with greater ability comes greater responsibility"

Charles Bundy
Charles Bundy

Can't and won't :) I'm sure if there were profit in it and your watch was communicative some bright lass or laddie would compromise it!

Slayer_
Slayer_

Incidentally, it can't be loaded with malware that could cause it to explode.. And i never need to update the firmware. I guess the folks at Timex made the effort to make sure their software doesn't have any bugs...

Charles Bundy
Charles Bundy

Because that small chip has to be intelligent enough to monitor battery cell voltages and temperature and provide appropriate charging on a cell by cell basis. As I said before it's a MCU which is basically a self contained computer (processor, memory and I/O).

Slayer_
Slayer_

Assuming of course both system runs the same operating system. Which with windows is probably a safe assumption. I question why having this chip flashable, just make it ROM only.