LAS VEGAS--The latest security threat to your laptop comes from an unexpected source: its battery.
A security researcher demonstrated today at the Black Hat security conference how he was able to gain complete control of the microprocessor embedded in batteries used in Apple Macintosh laptops and then remove or bypass the built-in safeguards.
"I can clearly brick the battery," said Charlie Miller, principal research consultant at security firm Accuvant Labs. "That's a cinch. I'm a pro at that."
Miller suggested it would be possible to overheat a battery and start a fire by convincing a controller that the battery was discharged, even though it was completely full, but said he has not tried it and an analog fuse may prevent disaster. "The charger will think the remaining capacity is whatever I want," he said. "So it might overcharge."
Accuvant posted working code today featuring an interface that Miller wrote that makes it easier to send commands to the battery controller.
Bricking a battery, of course, doesn't mean that a laptop ceases to work. And older MacBook Pro laptops have batteries that can be replaced in seconds. But newer MacBook Pro laptops, and the MacBook Air, have.
Even worse, if malware successfully slips past the defenses built into OS X and takes up residence on a laptop, it could continue to keep bricking replacement batteries.
Miller said the attack could take place in the other direction as well: Malware inserted into the battery's firmware could try to seize control of the computer even if the operating system were reinstalled. "If the OS kernel has a bug, you could attack the OS from the battery," he said.
Apple uses three chips made by Texas Instruments to control its laptops' batteries. Two provide protection against overcharging, short circuiting, and so on, while the TI BQ20Z80 chip keeps track of the battery's status, maintains the charge, and communicates with the laptop.
Miller's presentation described how he began trying to figure out how the laptops communicate with their batteries and discovered that Apple did not change the default battery password. Here's an excerpt:
For the batteries that ship with all the Apple laptops I tested, the password to unseal the battery and the password to enter full access mode are the hard-coded values provided in Texas Instruments documentation. In this work, I provide API functions which can be used to communicate with the battery. This allows the ability to make arbitrary configuration changes as well as dumping of the data flash and instruction flash. I provide IDA Pro scripts to disassemble the machine code from the firmware. We provide a way to disable the firmware checksum as well as to make arbitrary changes to the smart battery firmware. Due to the nature of the Smart Battery System, changes made to the smart battery firmware may cause safety hazards such as overcharging, overheating, or even fire.
One of the utilities he released today lets you change the password from its default setting.