Security expert finds vulnerability exposing MacBook batteries to 'bricking,' malware
One prominent security researcher has discovered a vulnerability in the batteries of Apple's MacBook line of portable computers that could allow hackers to ruin the batteries or install malware on them that could corrupt a Mac.
Charlie Miller, a renowned white-hat hacker who works for security firm Accuvant, plans to reveal and offer a fix next month for a MacBook battery vulnerability he has discovered, Forbes reports. Miller uncovered default passwords, which are used to access the microcontroller in Apple's batteries, within a firmware update from 2009 and used them to gain access to the firmware.
Apple and other laptop makers use embedded chips in their lithium ion laptop batteries to monitor its power level, stop and start charging and regulate heat.
During the course of his tests, the researcher "bricked" seven batteries, rendering them unusable by rewriting the firmware. Of more concern is the possibility that hackers could use the vulnerability to install difficult to remove malware, or, in a worst case scenario, cause the batteries to explode.
?These batteries just aren?t designed with the idea that people will mess with them,? he said. ?What I?m showing is that it?s possible to use them to do something really bad.? According to him, IT few administrators would think to check the battery, providing hackers with an opportunity to hide malicious software on a battery that could repeatedly implant itself on a computer.
MacBook batteries bricked during security researcher Charlie Miller's research
Miller admitted that he hasn't tried to blow up any batteries, but he did say it might be possible. "You read stories about batteries in electronic devices that blow up without any interference,? he noted. ?If you have all this control, you can probably do it.?
Another researcher, Barnaby Jack, who works for antivirus software maker McAfee, also looked into the battery issue a couple years ago, but said he didn't get as far as Miller did.
Miller, who is a regular winner of security contests demonstrating Mac, Safari and iPhone exploits, has notified Apple and Texas Instruments of the issue. Despite requests from several other researchers not to proceed, he plans to unveil the vulnerability, along with a fix he calls "Caulkgun," at the Black Hat security conference next month.
"Caulk Gun" will change a battery's default passwords to a random string of characters. While the fix will prevent hackers from breaking into the battery, it would also block any future firmware updates from Apple.
The state of security
In spite of the battery vulnerability that he uncovered, Miller believes Mac OS X security is better than ever before. According to him, Apple engineers made few security-related changes in the jump from Leopard to Snow Leopard, but they made substantial improvements in Mac OS X 10.7 Lion, which was released on Wednesday.
"Now, they've made significant changes and it's going to be harder to exploit,? he said, as noted by The Register.
?It's a significant improvement, and the best way that I've described the level of security in Lion is that it's Windows 7, plus, plus,? said noted security consultant Dino Dai Zovi.
Apple offered security researchers, including Miller and Dai Zovi, an unprecedented early look at Lion in order to get their feedback.
According to researchers, Lion's biggest security improvement is Lion's support for Address Space Layout Randomization. ASLR randomizes the location of critical system components to reduce the risk of attack. Apple also added sandboxing security measures in Safari that will isolate potential bugs or malware. Finally, the newly revamped File Vault now allows an entire drive to be encrypted.
Charlie Miller, a renowned white-hat hacker who works for security firm Accuvant, plans to reveal and offer a fix next month for a MacBook battery vulnerability he has discovered, Forbes reports. Miller uncovered default passwords, which are used to access the microcontroller in Apple's batteries, within a firmware update from 2009 and used them to gain access to the firmware.
Apple and other laptop makers use embedded chips in their lithium ion laptop batteries to monitor its power level, stop and start charging and regulate heat.
During the course of his tests, the researcher "bricked" seven batteries, rendering them unusable by rewriting the firmware. Of more concern is the possibility that hackers could use the vulnerability to install difficult to remove malware, or, in a worst case scenario, cause the batteries to explode.
?These batteries just aren?t designed with the idea that people will mess with them,? he said. ?What I?m showing is that it?s possible to use them to do something really bad.? According to him, IT few administrators would think to check the battery, providing hackers with an opportunity to hide malicious software on a battery that could repeatedly implant itself on a computer.
MacBook batteries bricked during security researcher Charlie Miller's research
Miller admitted that he hasn't tried to blow up any batteries, but he did say it might be possible. "You read stories about batteries in electronic devices that blow up without any interference,? he noted. ?If you have all this control, you can probably do it.?
Another researcher, Barnaby Jack, who works for antivirus software maker McAfee, also looked into the battery issue a couple years ago, but said he didn't get as far as Miller did.
Miller, who is a regular winner of security contests demonstrating Mac, Safari and iPhone exploits, has notified Apple and Texas Instruments of the issue. Despite requests from several other researchers not to proceed, he plans to unveil the vulnerability, along with a fix he calls "Caulkgun," at the Black Hat security conference next month.
"Caulk Gun" will change a battery's default passwords to a random string of characters. While the fix will prevent hackers from breaking into the battery, it would also block any future firmware updates from Apple.
The state of security
In spite of the battery vulnerability that he uncovered, Miller believes Mac OS X security is better than ever before. According to him, Apple engineers made few security-related changes in the jump from Leopard to Snow Leopard, but they made substantial improvements in Mac OS X 10.7 Lion, which was released on Wednesday.
"Now, they've made significant changes and it's going to be harder to exploit,? he said, as noted by The Register.
?It's a significant improvement, and the best way that I've described the level of security in Lion is that it's Windows 7, plus, plus,? said noted security consultant Dino Dai Zovi.
Apple offered security researchers, including Miller and Dai Zovi, an unprecedented early look at Lion in order to get their feedback.
According to researchers, Lion's biggest security improvement is Lion's support for Address Space Layout Randomization. ASLR randomizes the location of critical system components to reduce the risk of attack. Apple also added sandboxing security measures in Safari that will isolate potential bugs or malware. Finally, the newly revamped File Vault now allows an entire drive to be encrypted.
Comments
This is from the batch that was recalled from Sony years ago. I assumed that they fixed the problem and stopped sending out defective ones. I assumed wrong.
Apple refused to replace the first one. So I reported it to the Consumer Products Safety Commission or whatever it is called. Only then did Apple contact me and offer to replace it. The replacement only worked for a few weeks before problems started. My laptop computer is not relegated to being a desktop computer.
Now that a software hack is about to be released into the world that could destroy more batteries, Apple had better prepare itself with some new batteries. What if such a hack or even a defect happens in the sealed batteries in the all aluminum models? That would be really bad.
J.
I am not saying that there isn't a vulnerability, just that it isn't surprising that it exists.
Maybe we need less intelligent hardware???
Maybe we need less intelligent hardware???
I thought IBM compatibles had that covered
Of more concern is the possibility that hackers could use the vulnerability to install difficult to remove malware, or, in a worst case scenario, cause the batteries to explode.
Miller admitted that he hasn't tried to blow up any batteries, but he did say it might be possible. "You read stories about batteries in electronic devices that blow up without any interference,? he noted. ?If you have all this control, you can probably do it.?
I'm pretty sure the explosions happened because the hardware was defective and not the software. They found extra metal shavings in one batch of batteries that reacted so I highly doubt adjusting the firmware would cause an explosion. However, being able to brick a battery is enough cause for concern.
Another hacker turned "security activist".
Only out to make a name for himself. Doesn't care about anyone else.
Hint, if he cared about security and users, he wouldn't release his findings to the general public.
All these hacktavists are simple out for themselves.
It is pretty sick.
He’s doing the right thing, as long as he lets the vendor issue a patch before he goes public.
Oh... wait
In any case, it sounds fixable—but I’ll wait for Apple’s fix, not his! Especially if his home-brew fix bricks the firmware anyway, leaving Apple’s own patch unable to run, as well as any other Apple battery firmware updates in future! No, thanks.
Question: when he talks about the “potential” to install “malware,” does he really mean that the battery can access your file system? Or that just an implication he’s willing to imply by vague language, knowing it’s not the case? Or is it just something that’s been reported without his full details? I’m wondering if the reality isn’t that the theoretical “malware” could itself only affect the battery. Still annoying/destructive, if that’s the case, but it’s not a gateway to what most people think of as real malware: something that affects or steals your data, apps or OS. You could call malware that exists only on your battery and never gets out to be “on your computer,” but that would be misleading. What’s the real situation?
As for the fire/explosion FUD... research a mechanism that could make such a thing happen by code alone. Until then, it’s just fearmongering. Great for anti-Apple headlines though! Let’s see if another “gate” springs up soon
I don?t think it?s as simple as him being a bad guy. Yes, he?s out for all those things, BUT his skills are genuine, and he?s doing good by finding real issues that can and should be fixed.
He?s doing the right thing, as long as he lets the vendor issue a patch before he goes public.
Oh... wait
In any case, it sounds fixable?but I?ll wait for Apple?s fix, not his! Especially if his home-brew fix bricks the firmware anyway, leaving Apple?s own patch unable to run, as well as any other Apple battery firmware updates in future! No, thanks.
Question: when he talks about the ?potential? to install ?malware,? does he really mean that the battery can access your file system? Or that just an implication he?s willing to imply by vague language, knowing it?s not the case? Or is it just something that?s been reported without his full details? I?m wondering if the reality isn?t that the theoretical ?malware? could itself only affect the battery. Still annoying/destructive, if that?s the case, but it?s not a gateway to what most people think of as real malware: something that affects or steals your data, apps or OS. You could call malware that exists only on your battery and never gets out to be ?on your computer,? but that would be misleading. What?s the real situation?
As for the fire/explosion FUD... research a mechanism that could make such a thing happen by code alone. Until then, it?s just fearmongering. Great for anti-Apple headlines though! Let?s see if another ?gate? springs up soon
Yes, firmware could cause damage and even fire/explosion to a Li-Ion battery. Say the malicious battery code caused the battery to charge at its maximum rate far beyond its capacity. You get heat when that happens. Enough heat and you get bursting and/or fire.
But my question is, who would want to go to the effort to ruin my battery? What's in it for them? And how on earth could firmware in a battery inject malicious code BACK into the O.S.? I'll believe it only when I see a demo. Until then I'm flagging this statement as crazy conjecture.
Great.
Another hacker turned "security activist".
Only out to make a name for himself. Doesn't care about anyone else.
Hint, if he cared about security and users, he wouldn't release his findings to the general public.
All these hacktavists are simple out for themselves.
It is pretty sick.
If he didn't release his findings then he couldn't win competitions. If he didn't win competitions then he would have no reputation and then couldnt make money from being a known expert. If he can't make money from that then there's nothing to pay for him to find these things and pass the information onto Apple and others.
Obviously he's out for himself but so is everyone else. We all work to get paid, some of us enjoy are jobs, but it we wen't paid we wouldn't do them. At the same time he's still helping Apple make their products more secure.
Question: when he talks about the ?potential? to install ?malware,? does he really mean that the battery can access your file system? Or that just an implication he?s willing to imply by vague language, knowing it?s not the case? Or is it just something that?s been reported without his full details? I?m wondering if the reality isn?t that the theoretical ?malware? could itself only affect the battery. Still annoying/destructive, if that?s the case, but it?s not a gateway to what most people think of as real malware: something that affects or steals your data, apps or OS. You could call malware that exists only on your battery and never gets out to be ?on your computer,? but that would be misleading. What?s the real situation?
The battery circuit sends signals to the computer (firmware+OS), essentially its status. If there is a security hole (eg, a buffer overflow) in the OS code reading the battery's messages, the battery could potentially gain access to the filesystem.
I think it is highly unlikely, at best it might just corrupt part of the firmware or OS, bricking, handicapping or disrupting the functioning of the computer and the OS but not being able to execute any useful code for the malefactor.
1) Does the 3rd party battery have the same default password that the original battery had ?
2) Would the 3rd party battery take firmware updates sent out by Apple (assuming they cared about a 3 year old design at this point).
3) Is the default password something assigned by Apple or TI (I'm guessing the latter).
4) How does anyone know that these 3rd party batteries (the one I bought says 'agptek' on the box) are free of malware in the first place ?
like I didn't have enough things to worry about already
A true White Hats doesn't release exploits to the public until the vendor has issued a patch. Miller is clearly a Grey Hat.
(and others...)
Perhaps you missed a couple of points in the story above:
1) Miller has not released the technical details of the vulnerability yet. Nobody could create an exploit using only the data that has been released so far. Apple and Texas Instruments still have an opportunity to release a patch before the details are released.
2) When Miller does release the technical details, he has announced that he will also be releasing his own tool to plug the vulnerability at the same time. (This tool is something of a blunt instrument, though: it replaces the battery's password with a random string so no future legitimate Apple updates for future stability and feature improvements will work after installing Miller's patch. This is a tradeoff that each hardware owner would have to consider.)
Yes, firmware could cause damage and even fire/explosion to a Li-Ion battery. Say the malicious battery code caused the battery to charge at its maximum rate far beyond its capacity. You get heat when that happens. Enough heat and you get bursting and/or fire.
But my question is, who would want to go to the effort to ruin my battery? What's in it for them? And how on earth could firmware in a battery inject malicious code BACK into the O.S.? I'll believe it only when I see a demo. Until then I'm flagging this statement as crazy conjecture.
And, of course, for someone to install an exploit (even if it existed), they'd have to get access to your computer. If they have access to your computer, there are easier ways to install malware. Or they could simply steal the computer.
It's an interesting theoretical result. But until someone demonstrates a mechanism whereby the computer could be affected, it's purely theoretical.
It's no different than the situation with cars today. My car has a USB port where I can plug in my iPod. Many of the car's features are run by computers and all of them are connected in one way or another. So, in theory, it would be possible to have malware on my iPod that would cause the engine to shut down when I hit 60 mph. I'm not holding my breath, though.
seems like anyplace there is flash based firmware, there is a possibility that...well you know, someone could alter it. Which is kindof the whole idea in the first place.... you don't need an EEPROM burner to make changes nor physical access to the hardware.
I am not saying that there isn't a vulnerability, just that it isn't surprising that it exists.
Maybe we need less intelligent hardware???
It's not all bad. The batteries recalibrate themselves as they gradually fade, so EEPROM might not be the best thing to do. Also, if they find an improved charging technique, they can release an update.
Yes, firmware could cause damage and even fire/explosion to a Li-Ion battery. Say the malicious battery code caused the battery to charge at its maximum rate far beyond its capacity. You get heat when that happens. Enough heat and you get bursting and/or fire.
This is completely incorrect. There is NO way for a firmware failure to cause the kinds of hazards claimed here or by Mr. Miller. The agency certifications carried by Apple products (UL/CSA/IEC) require that those products be designed and tested to the applicable safety standards. In the case of a LiPo battery pack, the charging circuits must not cause undo stress to the batteries even in the presence of a single point fault. The cells themselves must be certified against the applicable bare battery safety standards.
The lab performing the safety test will analyze the pack's circuitry to identify those places where a circuit fault will cause the most stress to the cells and they will cause the a fault there. The resulting stress must remain with the cell's specified safe operating area.
As a result of these regulatory requirements, virtually all certified battery packs have double or triple redundancy in their charge/discharge safety circuits. A firmware failure would NOT pose a safety threat.
It is possible for a firmware hack to degrade pack life or render the battery gauge useless. I highly doubt that hacking the battery firmware would result in the installation of malware. Does anyone really think that Mac OS stores x86 code in the battery? It may be that X86 code could malfunction if the battery pack does not communicate properly, but the idea that a virus could be installed in the battery pack, then re-insert itself in MacOS after a virus sweep, is pure fantasy.
Unfortunately, the engineering of a product such as a Mac requires a great deal of specialized knowledge which neither Mr. Miller, the journalism community, nor the public at large possess. As a result, we get the sort of hyperbole of "antennagate" and now this.
Caveat reader.
And, of course, for someone to install an exploit (even if it existed), they'd have to get access to your computer. If they have access to your computer, there are easier ways to install malware. Or they could simply steal the computer.
or they could sell you a replacement battery, with the malware pre-installed. These are batteries, they will fail eventually, and would need to be replaced. Many of the purchasers may have moved along to more recent model laptops, but the old ones will still float around for a while.
Or maybe even more frightening, I'd have to install an infected battery in my laptop - when at least new models don't even HAVE swappable batteries. So Apple would need to install an infected battery. How scary!!! Not.
On other news, I just found a way to infect the Mac laptop touch pad. Are you all scared now?
(and others...)
Perhaps you missed a couple of points in the story above:
1) Miller has not released the technical details of the vulnerability yet. Nobody could create an exploit using only the data that has been released so far. Apple and Texas Instruments still have an opportunity to release a patch before the details are released.
2) When Miller does release the technical details, he has announced that he will also be releasing his own tool to plug the vulnerability at the same time. (This tool is something of a blunt instrument, though: it replaces the battery's password with a random string so no future legitimate Apple updates for future stability and feature improvements will work after installing Miller's patch. This is a tradeoff that each hardware owner would have to consider.)
I didn't miss those things, they're just irrelevant. Number 1 is discountable because he's said when and where he's releasing it, which means he is prepared to do it before Apple and TI have patched it. Number 2 is irrelevant because his "solution", as you noted, simply replaces the password he's gotten a hold of with a random string rendering the firmware unmodifiable. That's not a cure, that's first aid. it's bad first aid too, because it renders the cure impossible to administer. Besides which, Miller knows the vast majority of affected users will not know or care to apply his solution anyway, whereas everyone who wants to exploit the flaw will be paying attention to his method. He's arming the attackers with a rifle and saying it's okay because he's handing the victims a caulk gun (A humorously appropriate metaphor) to defend themselves with.
"Caulk Gun" will change a battery's default passwords to a random string of characters. While the fix will prevent hackers from breaking into the battery, it would also block any future firmware updates from Apple.
Sounds to me like this Caulk Gun is pretty much malware itself as messing with that password could cause your battery to malfunction particularly if the OS is updated and needs to know that password
"Now, they've made significant changes and it's going to be harder to exploit,” he said, as noted by The Register.
Translation: But this exploit is basically not a big deal cause Apple has improved the system security making it harder for me or anyone else to get to the firmware level to muck around.