Home Business IT Security Apple laptop batteries are the new attack vector


JUser: :_load: Unable to load user with ID: 3018

Apple laptop batteries are the new attack vector

  • 25 July 2011
  • Written by 
  • Published in Security

Charlie Miller, a well-known security researcher in the Apple space, has found that your MacBook battery may-well be out to get you (if you don't get it first).

Charlie Miller, a winner at the last four Pwn2Own challenges has expanded our view of the Apple world yet again.

Well known for his off-the-wall challenges to the (relatively) flimsy Apple security wall, Miller has taken something of a left turn into even stranger territory.

A long time ago, this writer heard of a (hopefully) apocryphal tale of a system administrator who was struggling to locate the source of a security intrusion.  This administrator would reformat drives and the attack would continue; he would even replace the hard disk and it would continue, all the while with no connection to anything but electricity and oxygen.

In the end, he replaced the network card (along with another hard disk) and the problem vanished.  It turned out, after a lot more analysis, that the virus had managed to lodge itself into the unused portion of the EEPROM memory of the network adaptor.

As I said; hopefully apocryphal.

However, Miller's attack is equally obscure and definitely NOT apocryphal.

What he found was that it was possible to access the smarts in the battery of a MacBook and do some very unexpected things.

What many users don't realise is that there is executable code in the battery of their Apple laptop device.  It even has a password that the Operating System uses to communicate securely with it.  Think about it - how else can the battery instruct the computer that it has enough charging (thanks very much) and in fact that it really is a genuine Apple-authorised battery, not some fly-by-night unit that doesn't have the Apple kiss of life.

Charlie Miller was able to decompile an Apple update in 2009 that dealt with the battery and from that extracted two passwords used to validate firmware updates to the battery.  He found that Apple offered no way to change these default passwords.

"You could put a whole hard drive in, reinstall the software, flash the BIOS, and every time it would reattack and screw you over. There would be no way to eradicate or detect it other than removing the battery." says Miller.

Of course next, we'll hear that the smarts in toner cartridges are conspiring to defraud us of useful toner levels!

As part of his research, Miller developed an antidote called "Caulkgun" which changes the battery password to some random string, but of course that would stop future battery-related updates from Apple being applied.

"No one has ever thought of this as a security boundary," says Miller. "It's hard to know for sure everything someone could do with this."

Other researchers chided Miller for the chance he might blow something up, but three things stopped him.  At $US130 each, his personal credit card stopped after he'd 'bricked' seven batteries; working from home, he had something of a pathological fear of blowing his place up and finally, when opening one of the bricked batteries he discovered that fuses inside would stop them charging if the temperature was too high.


Miller is presenting his findings at the next Black Hat Congress in Las Vegas in August.


Did you know: Key business communication services may not work on the NBN?

Would your office survive without a phone, fax or email?

Avoid disruption and despair for your business.

Learn the NBN tricks and traps with your FREE 10-page NBN Business Survival Guide

The NBN Business Survival Guide answers your key questions:

· When can I get NBN?
· Will my business phones work?
· Will fax & EFTPOS be affected?
· How much will NBN cost?
· When should I start preparing?