Security expert finds vulnerability exposing MacBook batteries to 'bricking,' malware

2

Comments

  • Reply 21 of 59
    samwellsamwell Posts: 78member
    Quote:
    Originally Posted by Patranus View Post


    Great.

    Another hacker turned "security activist".

    Only out to make a name for himself. Doesn't care about anyone else.

    Hint, if he cared about security and users, he wouldn't release his findings to the general public.

    All these hacktavists are simple out for themselves.

    It is pretty sick.



    The only sick thing is your pathetic need to blame the security guy instead of Apple, who couldn't be bothered to change the default password.
  • Reply 22 of 59
    Quote:
    Originally Posted by samwell View Post


    The only sick thing is your pathetic need to blame the security guy instead of Apple, who couldn't be bothered to change the default password.



    Agreed. How the hell is it this guy's fault? Get the blinkers off. He's performing a service, if he was a sicko you would never have known about this, only a story of battery failure and bricked Macbooks.
  • Reply 23 of 59
    8002580025 Posts: 172member
    Quote:
    Originally Posted by AppleInsider View Post


    One prominent security researcher has discovered a vulnerability in the batteries of Apple's MacBook line of portable computers that could allow hackers to ruin the batteries or install malware on them that could corrupt a Mac.



    So in essence it's a battery manufacturer exploit in conjunction with being installed in an Apple producte and not solely an Apply 'vunerability'? If so, why take an alarmist approach and denigrate Apple? And has the battery manufacturer been notified as well? Otherwise it is similar to putting the blame on a car manufacturer for using substandard tyres.
  • Reply 24 of 59
    maguromaguro Posts: 65member
    "According to him, IT few administrators would think to check the battery"



    What are "IT few administrators?" Any guesses?
  • Reply 25 of 59
    bsimpsenbsimpsen Posts: 358member
    Quote:
    Originally Posted by samwell View Post


    The only sick thing is your pathetic need to blame the security guy instead of Apple, who couldn't be bothered to change the default password.



    I'd blame the security guy for the wholesale manufacture of threats that don't exist. The battery cannot be made to catch fire or explode (as I explained earlier), nor is x86 code stored in/retrieved from the battery controller firmware. I do believe this is a case of Mr. Miller's ignorance and self interest getting the better of himself and a great many others.
  • Reply 26 of 59
    Quote:
    Originally Posted by Patranus View Post


    Great.

    Another hacker turned "security activist".

    Only out to make a name for himself. Doesn't care about anyone else.

    Hint, if he cared about security and users, he wouldn't release his findings to the general public.

    All these hacktavists are simple out for themselves.

    It is pretty sick.



    To his credit, unlike most security researchers, he doesn't keep chasing the security problem down a rabbit hole and asserting each time something is fixed that there is still some horrible problem remaining. He also doesn't seem to be an absolutist and talks about "good enough" security at times.



    He publicly stated a bunch of things he thought were wrong with OS-X's security and agitated for them to be fixed. When Apple fixed them one by one, he congratulated them one by on. Now they've fixed most everything he complained about... he is mostly not complaining anymore.



    It's his job to point out these insecurities. Now he seems to be saying that OS-X is pretty secure at this point and he is switching to criticising the batteries. I don't see what the big problem is with this. You couldn't really ask the guy to be much more professional.



    He's much better than the average "security investigator" IMO.
  • Reply 27 of 59
    Quote:
    Originally Posted by c-ray View Post


    The image in the article shows MacBook removable batteries. They appear to be similar to the MacBook battery that I replaced recently (in my MacBook 4,1). I used a 3rd party battery that was substantially less expensive than the Apple replacement battery. Now I have several questions...



    1) Does the 3rd party battery have the same default password that the original battery had ?



    2) Would the 3rd party battery take firmware updates sent out by Apple (assuming they cared about a 3 year old design at this point).



    3) Is the default password something assigned by Apple or TI (I'm guessing the latter).



    4) How does anyone know that these 3rd party batteries (the one I bought says 'agptek' on the box) are free of malware in the first place ?



    like I didn't have enough things to worry about already



    If you have a third party fake Apple battery in your MacBook, that last thing you should worry about is being hacked by an exploit that at this point is just theoretical.



    You should worry about being poisoned or burned by the battery, about the children that were probably forced to make it in some filthy sweatshop somewhere, and about the very real possibility that it will catch fire or explode at any moment. Seriously.
  • Reply 28 of 59
    solipsismsolipsism Posts: 25,726member
    I can't say I'm concerned about a battery exploit.
  • Reply 29 of 59
    haggarhaggar Posts: 1,568member
    Quote:
    Originally Posted by mrstep View Post


    Or maybe even more frightening, I'd have to install an infected battery in my laptop - when at least new models don't even HAVE swappable batteries. So Apple would need to install an infected battery. How scary!!! Not.



    Apple's component suppliers could sell them infected batteries, just like the iPod hard drives:



    http://www.apple.com/support/windowsvirus/
  • Reply 30 of 59
    This is it, I'm going back to Windows!!!



    ...Not!
  • Reply 31 of 59
    That explains why my battery keeps telling my Mac that it has a PC virus would you like to remove it for $25 to some Russian website I never heard of.
  • Reply 32 of 59
    Quote:
    Originally Posted by Maguro View Post


    "According to him, IT few administrators would think to check the battery"



    What are "IT few administrators?" Any guesses?



    Yoda.
  • Reply 33 of 59
    john.bjohn.b Posts: 2,740member
    So... The non-removable batteries aren't so bad after all?
  • Reply 34 of 59
    prof. peabodyprof. peabody Posts: 2,860member
    Quote:
    Originally Posted by Smallwheels View Post


    I'm on my second defective Apple Mac Book battery. It is in a middle 2008 polycarbonate 2.4 GHz Core 2 Duo model. The first one expanded so much that it pushed the track pad and some keys upward causing them to stick. The latest replacement decided it would not hold a charge more than one and a half hours for a while. Then it refused to hold a charge more than a few minutes.



    This is from the batch that was recalled from Sony years ago. I assumed that they fixed the problem and stopped sending out defective ones. I assumed wrong.



    Apple refused to replace the first one. So I reported it to the Consumer Products Safety Commission or whatever it is called. Only then did Apple contact me and offer to replace it. The replacement only worked for a few weeks before problems started. My laptop computer is not relegated to being a desktop computer.



    Now that a software hack is about to be released into the world that could destroy more batteries, Apple had better prepare itself with some new batteries. What if such a hack or even a defect happens in the sealed batteries in the all aluminum models? That would be really bad.



    I just flat out don't believe you here.



    At the very least you are leaving out a lot of mitigating circumstances or other detail that would elucidate why Apple behaved in such an atypical manner for them. For instance it makes absolutely no sense at all that you bought an Apple computer with a battery in it that was "... from the batch that Sony recalled years ago." Unless you are explaining it incorrectly, that's just a plain old lie.
  • Reply 35 of 59
    solipsismsolipsism Posts: 25,726member
    Quote:
    Originally Posted by Prof. Peabody View Post


    I just flat out don't believe you here.



    At the very least you are leaving out a lot of mitigating circumstances or other detail that would elucidate why Apple behaved in such an atypical manner for them. For instance it makes absolutely no sense at all that you bought an Apple computer with a battery in it that was "... from the batch that Sony recalled years ago." Unless you are explaining it incorrectly, that's just a plain old lie.



    Futhermore, I've never had a problem with Apple replacing a bloated battery without question. Since it's a potential fire and explosion hazard, and they can ship these batteries back to the manufacturer for credit there is no harm in correcting this for the user.
  • Reply 36 of 59
    djdjdjdj Posts: 74member
    Quote:
    Originally Posted by Prof. Peabody View Post


    I just flat out don't believe you here.



    At the very least you are leaving out a lot of mitigating circumstances or other detail that would elucidate why Apple behaved in such an atypical manner for them. For instance it makes absolutely no sense at all that you bought an Apple computer with a battery in it that was "... from the batch that Sony recalled years ago." Unless you are explaining it incorrectly, that's just a plain old lie.



    If the serial number of the battery doesn't fall into the range noted by Apple as having a problem, this is exactly how they would behave, even if it was a manufacturing defect. We've seen time and time again that Apple refuses to fix different product defects until there is such a consumer and media uprising that they have no other choice.



    As for batteries failing, I can attest it happens. My brother and I just pulled a battery out of a 2009 13" MacBook Pro today which had swelled to the point where the trackpad was pushed up past the top of the case. When we pulled it out of the case it had swelled to the point where it was a full 1/2 inch taller than it should have been. Apple absolutely refused to replace it without being paid $179. It was the original battery provided by Apple and was clearly defective.
  • Reply 37 of 59
    eriamjheriamjh Posts: 1,350member
    Firmware controls when to allow the battery to charge and by how much. By hacking the firmware, one could leave the batteries on full charge when they are actually at 100% state of charge and can't take any more energy. Then you'll get heat and then venting of the electrolyte from the cells. Lithium Ion-based batteries are toxic to us humans and the vented gas is not only flammable, but corrosive and lethal.



    This is a bad thing. If Apple has not responded after a few weeks or months, then he might as well release the info and force them to do something.
  • Reply 38 of 59
    robin huberrobin huber Posts: 3,517member
    . . . have posted a warning that there is a vulnerability in Kohler toilets that could allow Al Queda to remotely detonate explosives planted in the tank. By installing their Caulk fix this problem is alleviated. However, you will lose the ability to flush.
  • Reply 39 of 59
    bsimpsenbsimpsen Posts: 358member
    Quote:
    Originally Posted by Eriamjh View Post


    Firmware controls when to allow the battery to charge and by how much. By hacking the firmware, one could leave the batteries on full charge when they are actually at 100% state of charge and can't take any more energy. Then you'll get heat and then venting of the electrolyte from the cells. Lithium Ion-based batteries are toxic to us humans and the vented gas is not only flammable, but corrosive and lethal.



    This is a bad thing. If Apple has not responded after a few weeks or months, then he might as well release the info and force them to do something.



    You have no idea what you are talking about. The charge control hardware in a LiPo system will not force the battery into a hazardous state even if the firmware is hacked. This is a regulated requirement for consumer products carrying US/CSA/IEC certification. If a LiPo battery were to vent, the gas would be hydrogen, which is non-toxic. You can float a LiPo cell at its rated full-charge voltage (4.2 or 4.3V depending on the chemistry) indefinitely with no harm.



    Apple has no obligation to teach engineering to Mr. Miller, or to you.
  • Reply 40 of 59
    igxqrrligxqrrl Posts: 105member
    Quote:
    Originally Posted by bsimpsen View Post


    I'd blame the security guy for the wholesale manufacture of threats that don't exist. The battery cannot be made to catch fire or explode (as I explained earlier), nor is x86 code stored in/retrieved from the battery controller firmware. I do believe this is a case of Mr. Miller's ignorance and self interest getting the better of himself and a great many others.



    You are stating this information as fact.



    Either you are in a position to know these things, in which case you are likely not in a position to comment without breaking your employment contract, or you are making assumption s, in which case you should not state them as fact.



    Regardless, believing that a battery's firmware cannot cause it to operate out of spec requires an unenviable dearth of imagination. Likewise believing that corrupt or malicious firmware cannot affect the operating system. Yes, indirectly invoking a code path that was not intended.



    As to whether battery firmware can cause a fire, well, I'm not in a position to know, but just using my MacBook Pro under light load seems to come fairly close.
Sign In or Register to comment.