Charlie Miller, Apple security expert with the consulting firm Accuvant, found a new way to hack into Apple's MacBook computers -- with the battery.
If exploited, Miller’s newly discovered hack could force battery overheating, or render it inoperable, transforming the computer into an expensive paperweight. The exploit could even allow hackers to run malware via the battery that could potentially be used to access or steal data.
“I started looking at what I could do that anyone would understand,” Miller said. “What’s something that people would understand? Could bad guys break into your computers, and make batteries blow up?”
Miller said that Apple’s Lithium Polymer batteries are shipped from the factory in a sealed state, preventing anyone from making changes to them. He subsequently embarked on the process of tinkering with the batteries -- reverse engineering the firmware and disabling some of the their safety features. Throughout the entirety of the hacking process, Miller went through a total of seven batteries -- although he emphasised that he “never blew anything up.”
Ultimately, Miller found that batteries in modern laptops, such as Macbook Airs and Mabook Pros, contain an embedded chip that serves as a conduit for communication between the operating system and the battery. The battery chip essentially enables the battery to report what it needs to the operating system, whether it needs more charge, whether it’s overheating or has too much of a charge and when to power down or completely off.
“The main brains of this operation are the battery chip,” Miller said. “The computer can’t tell when there’s too much charge. (The chips) main mission is to make sure things are safe.”
However, during his experimentation, Miller discovered that the Achilles heel of the battery chip in MacBooks and other computers was that they shipped with a default password that enables hackers to unseal and open up full access to it. By figuring out the default password, miscreants could potentially obtain control of the battery and take control -- to a degree -- of the computer’s operability.
“By looking to see what that password is, you can start to make changes,” Miller said. “If you have full access mode to the battery, you can do anything with it.”
Once hackers have this kind of control, they could launch exploits to ruin the battery’s firmware, causing overheating or “bricking” so the batteries, and the computers they’re powering, are rendered useless. The exploit could be used to alter code on the battery’s chip to prevent it from charging or cause it to block the computer from communicating with the battery. A more dramatic battery firmware hack could potentially cause the batteries to catch fire or explode.
In addition, hackers who successfully exploited the vulnerability could change the code that runs on the chip to host malware. Hackers could then use the malware embedded on the chip to attack the OS from the battery.
In a worst case attack scenario, the malware implanted on the chip could be used to infiltrate the OS to steal or alter data, cause the computer to crash or take control of the affected system. However Miller said that the hackers would have to exploit a vulnerability in the way the operating system talks to the battery for this kind of successful attack.
In addition, the battery firmware attacks could be conducted remotely, without requiring hackers to have the computers in their possession for successful execution.
“A remote exploit gets you onto the computer and you can start to make changes,” Miller said. “You can make all of these changes while the battery is plugged into the computer.”
What’s more, because a computer’s battery is an unlikely source of infection, an attack could potentially remain undetected by IT administrators, allowing the malware to be used in repeated attacks.
Miller plans to expose the battery firmware exploit during the Black Hat USA hacker conference in Las Vegas during the first week of August. During his presentation, he will also be releasing a tool, known as Caulkgun, that users can download allowing password randomisation on the battery's chips.
While Miller tested the hack on a variety of Macbooks--Macbook Pro, Macbook Air-- he said that the exploit could be applied to any operating system. Miller added that he notified Apple of the vulnerability in its battery chips, but has yet to hear back from Cupertino on the status of the fix.
However, Miller added that a typical cyber criminal intent on obtaining credit card and other financial information would likely not use a battery firmware hack for financial gain.
A more likely scenario would be ruining the battery or rendering the computer inoperable and then extorting the owner with the use of their own computer, Miller said.
“The worst thing they would probably do is trash the battery so it doesn’t work anymore,” Miller said. “There’s really not any way you can make money from this.”