Charlie Miller, Apple security expert with the consulting firm Accuvant, found a new way to hack into Apple's MacBook computers -- with the battery.
If exploited, Miller’s newly discovered hack could force battery overheating, or render it inoperable, transforming the computer into an expensive paperweight. The exploit could even allow hackers to run malware via the battery that could potentially be used to access or steal data.
“I started looking at what I could do that anyone would understand,” Miller said. “What’s something that people would understand? Could bad guys break into your computers, and make batteries blow up?”
Miller said that Apple’s Lithium Polymer batteries are shipped from the factory in a sealed state, preventing anyone from making changes to them. He subsequently embarked on the process of tinkering with the batteries -- reverse engineering the firmware and disabling some of the their safety features. Throughout the entirety of the hacking process, Miller went through a total of seven batteries -- although he emphasized that he “never blew anything up.”
Ultimately, Miller found that batteries in modern laptops, such as Macbook Airs and Mabook Pros, contain an embedded chip that serves as a conduit for communication between the operating system and the battery. The battery chip essentially enables the battery to report what it needs to the operating system, whether it needs more charge, whether it’s overheating or has too much of a charge and when to power down or completely off.
“The main brains of this operation are the battery chip,” Miller said. “The computer can’t tell when there’s too much charge. (The chips) main mission is to make sure things are safe.”
However, during his experimentation, Miller discovered that the Achilles heel of the battery chip in MacBooks and other computers was that they shipped with a default password that enables hackers to unseal and open up full access to it. By figuring out the default password, miscreants could potentially obtain control of the battery and take control -- to a degree -- of the computer’s operability.
“By looking to see what that password is, you can start to make changes,” Miller said. “If you have full access mode to the battery, you can do anything with it.”
Once hackers have this kind of control, they could launch exploits to ruin the battery’s firmware, causing overheating or “bricking” so the batteries, and the computers they’re powering, are rendered useless. The exploit could be used to alter code on the battery’s chip to prevent it from charging or cause it to block the computer from communicating with the battery. A more dramatic battery firmware hack could potentially cause the batteries to catch fire or explode.
In addition, hackers who successfully exploited the vulnerability could change the code that runs on the chip to host malware. Hackers could then use the malware embedded on the chip to attack the OS from the battery.
In a worst case attack scenario, the malware implanted on the chip could be used to infiltrate the OS to steal or alter data, cause the computer to crash or take control of the affected system. However Miller said that the hackers would have to exploit a vulnerability in the way the operating system talks to the battery for this kind of successful attack.
Next: Battery Firmware Hacks Can Be Conducted Remotely