Charlie Miller is a well-known and active hacker due to his regular hacks of popular web browsers at CanSecWest. But his latest discovery is a hack found where no one else would ever bother looking: the battery of an Apple laptop.
Miller has discovered that the chips used to monitor the rechargeable batteries in Apple’s MacBook, MacBook Pro, and MacBook Air lines can be hacked with serious consequences.
The reason a hack is possible is due to the fact that no one ever bothered to secure those battery monitoring chips against possible attack. Surely no one would try and use a battery microcontroller to infiltrate a system, right? Of course they would if it meant complete control of a laptop was possible.
That’s exactly what Miller has been able to achieve. By reverse engineering the firmware used for the chips he can tell the laptop anything he wants about the state of a battery. That makes it very simple to render the battery unusable and requiring the user to buy an expensive replacement. Although he didn’t attempt it, overloading the battery to the point where it overheats causing damage is also feasible.
It gets worse, though. Instead of relaying battery status updates to Mac OS, Miller believes it would be possible to inject malware on to the system through the chip. That would allow a system to be infected with malware without any user interaction at all. Because the malware installation is controlled by the chip it is also very difficult to get rid of. You could format your entire system only to have the malware reinstall itself on the next boot clean system boot.
Miller will be presenting his findings at the BlackHat security conference next month. He is also going to give details of how to apply a fix which I’m sure Apple will be very interested to hear about. It is expected to simply replace the default password on each chip with a random string of characters so that every laptop is different, therefore rendering any such hack useless.
For the moment, it seems unlikely this is a vulnerability being used by hackers. The discovery involved Miller first having to find two passwords relating to the chips in a 2009 Apple software update, then he reverse engineered the firmware they used, and then he started experimenting to see what could be achieved. In the process he bricked around $900 worth of batteries.