Security researcher Charlie Miller, widely known for his work on Mac OS X and Apple’s iOS, has discovered an interesting method that enables him to completely disable the batteries on Apple laptops, making them permanently unusable, and perform a number of other unintended actions. The method, which involves accessing and sending instructions to the chip housed on smart batteries could also be used for more malicious purposes down the road.
The basis of Miller’s research, which he plans to present at the Black Hat conference in Las Vegas next month, is the battery that’s used in most Apple laptops. The battery, like many others in modern laptops, has a chip on it that contains instructions for how the battery is meant to behave and interact with the operating system and other components. Inspired by Barnaby Jack’s ATM hacking talk at last year’s conference, Miller was interested in seeing what would happen if he could get access to the chip and start messing with the instruction set and firmware.
A lot, as it turns out.
“The battery has its own processor and firmware and I wanted to get into the chip and change things and see what problems would arise,” said Miller, a principal research consultant at Accuvant.
What he found is that the batteries are shipped from the factory in a state called “sealed mode” and that there’s a four-byte password that’s required to change that. By analyzing a couple of updates that Apple had sent to fix problems in the batteries in the past, Miller found that password and was able to put the battery into “unsealed mode.”
From there, he could make a few small changes to the firmware, but not what he really wanted. So he poked around a bit more and found that a second password was required to move the battery into full access mode, which gave him the ability to make any changes he wished. That password is a default set at the factory and it’s not changed on laptops before they’re shipped. Once he had that, Miller found he could do a lot of interesting things with the battery.
“That lets you access it at the same level as the factory can,” he said. “You can read all the firmware, make changes to the code, do whatever you want. And those code changes will survive a reinstall of the OS, so you could imagine writing malware that could hide on the chip on the battery. You’d need a vulnerability in the OS or something that the battery could then attack, though.”
In his lab, Miller was able to brick the battery so that it wouldn’t take a charge or discharge any power, and he said it’s also possible to send faulty instructions to the OS, giving it bad information about the level of power left in the battery. He wasn’t able to accomplish his main goal, however.
“I started out thinking I wanted to see if a bad guy could make your laptop blow up. But that didn’t happen,” he said. “There are all kinds of things engineers build into these batteries to make them safe, and this is just one of them. I don’t know if you could really melt the thing down.”
Miller plans to release a tool at Black Hat that will go in and change the defualt passwords on the battery’s processor so that the hacks he developed won’t work. It will lock the battery in sealed mode permanently.
