Well known for his off-the-wall challenges to the (relatively) flimsy Apple security wall, Miller has taken something of a left turn into even stranger territory.
A long time ago, this writer heard of a (hopefully) apocryphal tale of a system administrator who was struggling to locate the source of a security intrusion. This administrator would reformat drives and the attack would continue; he would even replace the hard disk and it would continue, all the while with no connection to anything but electricity and oxygen.
In the end, he replaced the network card (along with another hard disk) and the problem vanished. It turned out, after a lot more analysis, that the virus had managed to lodge itself into the unused portion of the EEPROM memory of the network adaptor.
As I said; hopefully apocryphal.
However, Miller's attack is equally obscure and definitely NOT apocryphal.
What he found was that it was possible to access the smarts in the battery of a MacBook and do some very unexpected things.
Charlie Miller was able to decompile an Apple update in 2009 that dealt with the battery and from that extracted two passwords used to validate firmware updates to the battery. He found that Apple offered no way to change these default passwords.
"You could put a whole hard drive in, reinstall the software, flash the BIOS, and every time it would reattack and screw you over. There would be no way to eradicate or detect it other than removing the battery." says Miller.
Of course next, we'll hear that the smarts in toner cartridges are conspiring to defraud us of useful toner levels!
As part of his research, Miller developed an antidote called "Caulkgun" which changes the battery password to some random string, but of course that would stop future battery-related updates from Apple being applied.
"No one has ever thought of this as a security boundary," says Miller. "It's hard to know for sure everything someone could do with this."
Other researchers chided Miller for the chance he might blow something up, but three things stopped him. At $US130 each, his personal credit card stopped after he'd 'bricked' seven batteries; working from home, he had something of a pathological fear of blowing his place up and finally, when opening one of the bricked batteries he discovered that fuses inside would stop them charging if the temperature was too high.
Miller is presenting his findings at the next Black Hat Congress in Las Vegas in August.