Macbook Pro batteriesSecurity researcher Charlie Miller, widely known for his work on Mac OS X and Apple’s iOS, has discovered an interesting method that enables him to completely disable the batteries on Apple laptops, making them permanently unusable, and perform a number of other unintended actions. The method, which involves accessing and sending instructions to the chip housed on smart batteries could also be used for more malicious purposes down the road.

The basis of Miller’s research, which he plans to present at the Black Hat conference in Las Vegas next month, is the battery that’s used in most Apple laptops. The battery, like many others in modern laptops, has a chip on it that contains instructions for how the battery is meant to behave and interact with the operating system and other components. Inspired by Barnaby Jack’s ATM hacking talk at last year’s conference, Miller was interested in seeing what would happen if he could get access to the chip and start messing with the instruction set and firmware.

A lot, as it turns out.

“The battery has its own processor and firmware and I wanted to get into the chip and change things and see what problems would arise,” said Miller, a principal research consultant at Accuvant.

What he found is that the batteries are shipped from the factory in a state called “sealed mode” and that there’s a four-byte password that’s required to change that. By analyzing a couple of updates that Apple had sent to fix problems in the batteries in the past, Miller found that password and was able to put the battery into “unsealed mode.”

From there, he could make a few small changes to the firmware, but not what he really wanted. So he poked around a bit more and found that a second password was required to move the battery into full access mode, which gave him the ability to make any changes he wished. That password is a default set at the factory and it’s not changed on laptops before they’re shipped. Once he had that, Miller found he could do a lot of interesting things with the battery.

“That lets you access it at the same level as the factory can,” he said. “You can read all the firmware, make changes to the code, do whatever you want. And those code changes will survive a reinstall of the OS, so you could imagine writing malware that could hide on the chip on the battery. You’d need a vulnerability in the OS or something that the battery could then attack, though.”

In his lab, Miller was able to brick the battery so that it wouldn’t take a charge or discharge any power, and he said it’s also possible to send faulty instructions to the OS, giving it bad information about the level of power left in the battery. He wasn’t able to accomplish his main goal, however.

“I started out thinking I wanted to see if a bad guy could make your laptop blow up. But that didn’t happen,” he said. “There are all kinds of things engineers build into these batteries to make them safe, and this is just one of them. I don’t know if you could really melt the thing down.”

Miller plans to release a tool at Black Hat that will go in and change the defualt passwords on the battery’s processor so that the hacks he developed won’t work. It will lock the battery in sealed mode permanently.

Categories: Malware, Vulnerabilities

Comments (33)

  1. Anonymous
    2

    Perhaps I missed it, but it doesn’t seem to say if access was from the host machine to an in-use battery, or if it had to be removed.  Do we know how it was done?

  2. Anonymous
    5

    It will lock the battery in sealed mode permanently.

    No It will Not, the chips do not have that feature. He just changed the Key.  This will of course disable future updates.

     As far as puting code in the chip that could do something to Add malware to the host that would be intersting. 

    Locking up the SMBus, that would be easier.

  3. Anonymous
    6

    Another typical Apple failiure.

    This is why I never by their products, they cost 3 times as much and are basically bottom budget hardware in a nice case.

  4. Max Load
    8

    @Anonymous (not verified) on Sat, 07/23/2011 – 4:13am, well said and quite true.

  5. Anonymous
    9

    I have an apple laptop it has Li ion battery

    it consists of 12 5/4 A cells

    there are 6 small pins that shove into the computer

    all the pins look like hi impedance  with any thing i poke them with

    i can buy new cells for about $30 

    I can buy a new battery for about $250

    i can charge the cells from an external power supply and still get no way to run the computer from the battery, without the power supply

    i have no idea whats wrong.

    the computer? the cells? the battery’s computer?something preventing talk from the computer to the battery?

    is there any way to test or talk to this thing to get useful info?

     

     

     

     

     

     

     

  6. Anonymous
    10

    Re: can’t use battery without power supply — you can try resetting the power management unit on your laptop.  Google for instructions.

    Re: threats from battery firmware hacking.  So far, it sounds more theoretical, but I agree the batter/laptop interface needs to be looked at.  Presumably it shouldn’t be too hard to secure it, since it has a limited scope.

     

    Re: Apple hardware being overpriced and shoddy.  This comment makes no sense.  Whenever I’ve compared prices for similarly-equiped, they are close, with Apple sometimes being more expensive and sometimes less, but never by that much.  Factor in the ease of use and lower frustration, and it’s cheaper, in my view.  But, nothing in the article gives any hint that this is in any way unique to Apple.  Presumably it applies to all batteries.

  7. Anonymous
    11

    You need physical access to the Mac or the battery to hack the firmware. Wouldn’t it be easier to use lighter fluid and a match, rather than hacking firmware, to set the Mac on fire?

     

  8. Anonymous
    12

    Why is every article with a comment section that’s even *remotely* related to technology treated like a free tech support service by certain people. Yes, I’m looking at you, commenter a couple of posts up with the broken battery expecting some person he’s never met to drop everything and solve his problem.

     

  9. Anonymous
    13

    Have there been discoveries in the past regarding laptops of the Windows flavor (dell, acer, gateway, etc..)

  10. Anon
    14

    Well, there was that issue with some poorly manufactured HPs a while back that created a defective battery that would actually set your notebook on fire and melt it (some pretty cool YouTube videos in that regard).  But, again, that was a manufacturing defect- not malware.

    I agree- how did he access the code for this?  Did he have to do it natively on the MacBook of the battery he was trying to manipulate?  Or, was he able to access it remotely?  If only natively- then it’s just a theoretical possibility, atm.  But, still not one I would relish the thought of.  Glad to see he’s got a patch developed for it.

  11. DAVID DUNN
    15

     PRO MAC BOOK IS MY FIRST LAPTOP COMPUTER AND I HAVE BEEN IMPRESSED SO FAR WITHOUT PROBLEMS, THANK-GOD GREAT INVESTMENT TIME WILL LET US KNOW FOR SURE. APPLE HAS BEEN VERY HELPFUL. WISHFULLY BELIEVING THAT PHILOSOPHY WELL REMIAN MINE THROUGH-OUT MY HEALTHY ADDICTION TOWARD MAC. I HAVE BECOME A MAC APPLE GENIUS WANT TO BE THROUGHOUT MY EXPERIENCE. EDUCATED KNOWLEDGE HAS ALWAYS OPENED MY MIND. APPLE IS THE BEST INVESTMENT PEOPLE ARE BECOMMING AWARE OF THE BENIFITS OF MAC SLOWLY HOWEVER, SURLY. DAVID DUNN. POWER FOR MAC CHEERLEADER. CHEERS. SMART AND BEAUTIFUL. FORD MODEL GRADUDATE MANHATTAN NEW YORK!!!!!! AND MORE.

  12. Helge Hafting
    17

    Not a problem

    The only one who communicate with the battery processor, is a device driver. This driver is provided by the vendor and is therefore trustable. It doesn’t matter if the battery password is well known – the  battery is protected by the operating system anyway.

    It does not matter that a hacker can destroy the battery, AFTER taking control of the OS. A hacker in control of the OS can destroy the files on disk, which cost a lot more in case of machines used for actual work!

  13. Anonymous
    19

    The bad guys are already using it. Ever wonder why you need to replace the battery on a mac every year…

  14. Anonymous
    20

    Yes you know all about Apple having never used their products: typical. You are likely fixated on one OS, probably something out of Redmond or maybe you are convinced you are a linux guru. Regardless, the fact is that Apple products tend to have a longer life in the work place than windows or linux boxes, and with the proper setup you can run a variety of OSs seamlessly. I spent years believing the gospel according to Bill or Linus, but once I had a Powerbook I realised where we were going as a company. Now our IT costs have dropped far more than the extra cost of the hardware, which is nowhere near 3 times what the other realistic options were. Maybe you honestly believe a BMW is really a Trabant as well. I never cease to be amazed at the whining about costs from some folks, like suburbanites who think a cheaper home is worth spending 2-4 hours more a day commuting than my 10 minute train ride in the city centre. Yep, I paid more for my home in the city, but I spend easily 10-20 hours more a week close to home. I can shop at a range of stores, go to concerts, fine restaurants, and I only drive when I decide I want to. Oooooh my place cost at least 3 times what it would cost out in idiotland but I can afford it. The only folks who complain about it simply can’t afford it so they mock and criticize. 

  15. Anonymous
    24

    The article clearly states Apple has sent patches to the battery in the past. In other words, physical access is not required.

  16. Anonymous
    25

    If you actually believe that Apple products are in any way high-quality, you’ve never had to deal with them. Sure, they feel pretty solid at first, but as soon as a problem arises, oh boy, are you in for some fun.

  17. Natanael L
    26

    Why? People need to be aware of these risks, and he’s doing his job on reporting them.

  18. Anonymous
    28

    why don’t you buy yourself an education dumb ass !!! ..Is that why you don’t “by” mac products.

  19. Anonymous
    29

    obviously you cant afford a macbook.,or is that a first grade education?  You’re a dumb ass, you wont “by” anything from apple. Stick with your p.c shit for brains.

  20. Anonymous
    30

    I wonder… Do you realize how much of a douche you sound like? I hope you enjoy your nice house, though I imagine it to be you and your cat sans girlfriend after she left you for your endless rants and lack of an enter key to paragraph those rants.

  21. Gonzofan
    32

    Amen, brother. I experienced a similar situation when we switched to Apple from Windows two years ago. There’s no chance of going back

Comments are closed.