Page 2 of 2
In addition, the battery firmware attacks could be conducted remotely, without requiring hackers to have the computers in their possession for successful execution.
“A remote exploit gets you onto the computer and you can start to make changes,” Miller said. “You can make all of these changes while the battery is plugged into the computer.”
What’s more, because a computer’s battery is an unlikely source of infection, an attack could potentially remain undetected by IT administrators, allowing the malware to be used in repeated attacks.
Miller plans to expose the battery firmware exploit during the Black Hat USA hacker conference in Las Vegas during the first week of August. During his presentation, he will also be releasing a tool, known as Caulkgun, that users can download allowing password randomization on the battery's chips.
While Miller tested the hack on a variety of Macbooks--Macbook Pro, Macbook Air-- he said that the exploit could be applied to any operating system. Miller added that he notified Apple of the vulnerability in its battery chips, but has yet to hear back from Cupertino on the status of the fix.
However, Miller added that a typical cyber criminal intent on obtaining credit card and other financial information would likely not use a battery firmware hack for financial gain.
A more likely scenario would be ruining the battery or rendering the computer inoperable and then extorting the owner with the use of their own computer, Miller said.
“The worst thing they would probably do is trash the battery so it doesn’t work anymore,” Miller said. “There’s really not any way you can make money from this.”