Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Laptops Vulnerable To Battery Firmware Hack

Posted by Soulskill on from the good-thing-they're-so-easy-to-replace dept.

Trailrunner7 writes "Security researcher Charlie Miller, widely known for his work on Mac OS X and Apple's iOS, has discovered an interesting method that enables him to completely disable the batteries on Apple laptops, making them permanently unusable, and perform a number of other unintended actions. The method, which involves accessing and sending instructions to the chip housed on smart batteries, could also be used for more malicious purposes down the road. Miller discovered the default passwords set on the battery at the factory to change the battery into unsealed mode and developed a method that let him permanently brick the battery as well as read and modify the entire firmware. 'You can read all the firmware, make changes to the code, do whatever you want. And those code changes will survive a reinstall of the OS, so you could imagine writing malware that could hide on the chip on the battery. You'd need a vulnerability in the OS or something that the battery could then attack, though,' Miller said."

24 of 272 comments (clear)

  1. Why? by Qwell · · Score: 4, Insightful

    In other news - batteries have firmware.

    --
    As of 10/06/03, I hate COBOL developers.
    1. Re:Why? by CFD339 · · Score: 5, Informative

      Lithium Ion batteries are inherently unstable and have to be charged and discharged very carefully. Unlike the old school batteries you'd think of, these batteries have a controller to manage them built in. When that fails, you have big problems (remember the defective ones a few years ago that would just burst into flames?)

      --
      The problem with quotes on the internet, is that nobody bothers to check their veracity. -- Abraham Lincoln
    2. Re:Why? by joocemann · · Score: 2, Interesting

      In other news - batteries have firmware.

      WHY!!?!?! I echo your sentiment because this is ridiculous.

      1) Why would a device whose purpose is to provide electrical supply have to have firmware, or even some other-than-electrical relationship with the system.
      2) Why would someone permit any communication from the 'firmw'a....

      you know.. I could count out the reasons but its just too frustrating to conceive the stupidity in Apple's choices here.

      THE REASON VULNERABILITIES ARE FOUND/EXPLOITED IS BECAUSE ENGINEERS/DEVELOPERS PERMIT THEM BY POOR DESIGN.

      If the target pathway of the attack was not open or existent, it could not occur. This is the absolute logic of the situation. In nearly all cases, if there is no backdoor you cannot open it. The people making software and hardware need to be thinking about how to achieve goals without opening doors. They should be considering the involvement of absolute hardware protection on the PHYSICAL level, possibly even involving analog technology, that mediates security. I know a bunch of shortsighted CS people will reply with their lack of brainstorming answers, telling me its not possible... The winner being the one who can make it possible.

    3. Re:Why? by jo_ham · · Score: 3, Insightful

      You got it right the first time - to control the charging process. That is the "non predatory" reason that lithium ion batteries have chips in them, and it is *absolutely* not unique to Apple.

      Don't let facts get in the way of a good Apple bash though!

    4. Re:Why? by TheGratefulNet · · Score: 2

      hey, I just 'flashed' my battery.

      is that good or bad?

      and, if I crossflash to another model, can I overclock its volts?

      --

      --
      "It is now safe to switch off your computer."
    5. Re:Why? by DigiShaman · · Score: 2

      Don't worry, the Department of Homeland Security will propose that all software developers have to be certified with an engineering like degree which ties back to a federal oath you must take. You will be held accountable but also have job security. Oh, and tuition for proper training will exceed $100,000.

      Wanna code, you gotta be rich. You'll be less likely to be a terrorist anyways right? Oh, and all non-certified programming is illegal punishable as a felony and a trip to prison.

      You think I'm joking? That's the future we have to look forward too. That, and the Government is looking to expand its influence in all matters that shape society (as it always has done).

      --
      Life is not for the lazy.
    6. Re:Why? by bughunter · · Score: 3, Interesting

      I had a similar problem with a macbook pro battery I bought in Jan 2010. By Jan 2011, it would barely hold 30 minutes of operating energy, and reported a health of 15%. The number of cycles reported was 49. Not a typo. Forty-nine.

      No amount of "calibrating" the battery nor resetting the EPS would change this. I had to fork out $129 for a new battery. As it turns out, leaving the damn thing plugged in all the time and never draining the charge severely shortens the life of the cells.

      Lesson: run the thing from the battery every once in a while.

      --
      I can see the fnords!
    7. Re:Why? by Bing+Tsher+E · · Score: 2

      The firmware is so that Apple can make sure you are only using Apple-approved battery chargers to charge your i Device. They disabled many of the low-cost chargers on the iPhone/iPod platform with one of the early iOS 4.x releases. Suddenly the charger I had made by just hooking up a fairly hefty 5 volt supply to the power pins on an old synch cable ceased working. (Reverse engineers have discovered that there's a hack, using voltage divider reisistors in the data pins on the USB connection that 'fixes' the issue.)

      Just as printer manufacturers put 'smarts' in ink cartridges to force people to not refill, Apples battery charging technology has been tweaked so we only buy accessories from vendors who have kissed Steve's.... er... ring.

    8. Re:Why? by fgodfrey · · Score: 2

      That's not quite true. The iPhone is capable of drawing more power than the USB spec allows to charge (USB allows 500mA at 5V, the iPhone can draw up to 1A, IIRC). However, so as not to fry a USB port that is not rated to drive the phone, it looks for the voltage divider resistors. The charger you made should have had 15k pull-down resistors on D+ and D- in it to be a compliant USB host interface. I suspect few, if any, devices check for it, but the charger you made does not meet the USB spec. Any charger that meets the spec will work fine with iPhone, it just will charge at 500mA max, but it *will* charge. Check out the "Minty Boost" schematic here.

      I don't think Apple actually documents what you have to do to get it to charge at full power, which is kinda cheesy, but it's well documented by people who've reverse engineered it.

      Also, none of this is related to the actual article. The firmware in the battery is well beyond the point where the stuff you're talking about is checked. It's there to keep the battery from catching fire. All Lithium-Ion batteries have it. I strongly suspect that this bug is not unique to Apple.

      --
      Go Badgers! -- #include "std/disclaimer.h"
    9. Re:Why? by adri · · Score: 4, Informative

      And you're the know-it-all guy who prematurely called it.

      Figuring out Lion/NiMH cell charging by analog methods is actually quite difficult to do when you're charging the battery at stupidly high current, which is what's going on here. The NiCD way of measuring the voltage drop/resistance doesn't work as well - the change is too sharp. There's not one charging rate (fast and trickle), there's a "curve" to maximise battery life and minimise damage/risk of explosion. It changes over the life of the battery, so you can't just "assume" a common curve. You may have a fully-charged battery, so you have to know how much charge is in there before you start charging it at full current.

      These laptop battery cells can double as exploding timebombs if you're not careful. Hence yes, there's a microcontroller in them to keep track of exactly what's going on.

    10. Re:Why? by the_raptor · · Score: 2

      If that was your main point you made a piss poor attempt at communicating it (Hint: communication does not involve yelling at people if they appear to not understand you).

      You raised a valid point about battery firmware being easily writeable*, but look totally ignorant about modern battery technology by questioning the necessity of battery controllers with Lithium chemistry batteries.

      * Making it not really firmware as far as I understand the definition. Most re-writeable firmware needs special high voltage lines to do the write, and normally people don't design those into a product.

      --

      ========
      CINC, 4th Penguin Legion
  2. PSP Pandora Battery by MBCook · · Score: 2

    Isn't this sort of like how the Pandora Batteries worked on the PSP? I think they enabled a diagnostic mode as opposed to a direct hack, but the battery being used to corrupt the system thing isn't totally new.

    On the plus side, the hard to replace batteries people complain about make this attack more difficult to perform, instead of just taking a few seconds.

    --
    Comment forecast: Bits of genius surrounded by a sea of mediocrity.
    1. Re:PSP Pandora Battery by Anarchduke · · Score: 2

      Thats a minus, not a plus. A hard to replace battery isn't any harder to hack, its just harder to fix.

      --
      who prays for Satan? Who in 18 centuries has had the humanity to pray for the 1 sinner that needed it most? ~Mark Twain
  3. No worries here by JoeWalsh · · Score: 5, Funny

    I don't have to worry about that. Not only am I using a Dell, but my battery exploded.

    1. Re:No worries here by jittles · · Score: 3, Informative

      Actually, it's not terribly hard to remove the batteries on the 2011 Macbook pros. Not something you could do easily on a plane, or in the car, but you can definitely do so with just two screwdrivers. Or one screwdriver with a replaceable bit.

  4. Firmware should have a write-enable switch by davidwr · · Score: 5, Insightful

    This is just one more reason why software that's not designed to be frequently changed should be write-protected unless the user sets a specific hardware switch.

    If the hardware switch is in its default location - "protect" - it should be mathematically provable that the firmware cannot be overwritten.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
  5. Re:Physical access? by SomePgmr · · Score: 3, Interesting

    I only skimmed it, but it doesn't seem to say if he needed physical access to the battery to do this. Obviously the two must communicate (on-battery and OS), but it doesn't say if access was achieved on an in-use battery from the host machine.

    Obviously this is important, because it changes the attack vector significantly. There's a big difference between being vulnerable to the battery manufacturer or if a random infection could push code to the battery (or even brick it).

  6. Re:Physical access? by Hognoxious · · Score: 2, Insightful

    Doesn't this exploit require physical access to the actual battery?

    I'm not worried, mine has never been anywhere near a Chinaman.

    --
    Confucius say, "Find worm in apple - bad. Find half a worm - worse."
  7. Re:Vulnerabilities by YodasEvilTwin · · Score: 2

    No it doesn't. He grabbed the passwords from updates and now has access, no vulnerabilities required.

  8. Re:OSX is the least secure OS in mainstream use by makubesu · · Score: 4, Informative

    If I install windows or some linux flavor on my mac, it doesn't mean this vulnerability goes away. It's a hardware problem, hardware made by someone besides apple. I'm not sure what this has to do with which operating system is most secure.

  9. Lulz by ae1294 · · Score: 2

    So does anyone know if the firmware can be upgraded to cause the battery to burst into fames? That would be funny and probably not covered by the apple warranty.

  10. Re:Yes, it is helpful: it lets you exchange cells by Toonol · · Score: 2

    This both enables people to refurbish packs (which has its consequences, since untracked Li-Ion cells can be *dangerous*), and to sell counterfeit packs (which is even worse).

    On the plus side, it might allow refurbished packs and cheap offbrand replacements.

  11. one hack to ruin them all.... by pbjones · · Score: 3, Insightful

    If it's a problem at Apple then it's a problem with a number of other hardware devices that use the same battery controllers, so your windoze laptops isn't safe either. Someone could also hack my Logitech Mouse and brick it too, or any number of peripherals that have upgradeable firmware, like my router, printer, keyboard, the list goes on.

    --
    There was an unknown error in the submission.
  12. Decades old news by pbjones · · Score: 3, Insightful

    BTW, Apple batteries have had firmware for the last 10-15 years, so your info is a little late.

    --
    There was an unknown error in the submission.