Apple left default passwords in batteries, making them vulnerable to hacks, explosion
white88enochian
Regular
According to Miller's Black Hat talk description, "being able to control the working smart battery and smart battery host may be enough to cause safety issues, such as overcharging or fire." Notably, when the lithium-ion batteries used in laptops overheat, they can rupture, causing injuries. On the other hand, well-manufactured batteries also include numerous safety features, such as the ability to shut down in the event of overheating, as well as circuit interrupters designed to prevent overcharging or undercharging.
In his forthcoming talk, Miller plans to will demonstrate how to modify the firmware used by Apple smart batteries, disable their anti-tampering checksum, and reprogram the battery firmware using "a simple API," which he plans to release publicly. While Miller's research focused on MacBook, MacBook Pro, and MacBook Air laptops from Apple--with whom he's already shared the results of his research--he suspects that Windows laptop batteries would be susceptible to firmware attacks.
Miller reverse-engineered Apple's battery firmware after the company issued a related firmware update in 2009. From there, he discovered the default password used to secure batteries, and from there, he learned how to read the values from that firmware and alter how the battery firmware interacts with the laptop. To date, Miller said he's successfully bricked seven Mac laptops via battery firmware hacks.
Interestingly, however, reprogramming the battery firmware could also allow an attacker to introduce persistent malware into the laptop. "You could put a whole hard drive in, reinstall the software, flash the BIOS, and every time it would reattack," Miller told Forbes.com. "There would be no way to eradicate or detect it other than removing the battery."
Despite the apparent threat vector, battery firmware offers essential functionality, providing giving users precise readings of a laptop's remaining charge, operating time, and estimated recharge time, while also allowing the battery to control the voltage and current being provided by a charger.
But how feasible are attacks against battery firmware? Offering some perspective, Paul Ducklin, head of technology for Sophos in the Asia Pacific region, said in a blog post that when it comes to reprogramming controllers with field-updatable firmware, laptop batteries aren't the only option. Indeed, an attacker could also target "the motherboard itself, your wireless card, your 3G modem, network card, graphics device, storage devices, and much more," he said.
To address the Apple laptop battery firmware vulnerability, Miller plans to release a utility called "Caulkgun" that will allow Apple users to change their laptop battery passwords. On the upside, the utility would prevent an attacker from exploiting an Apple battery pack's embedded controller. On the downside, it would block any Apple patches, performance enhancements, or security updates from updating the battery's firmware, unless the user first restored the battery's default password.
How could this be? What design error in the system made it possible? None. Miller wrote programs based on published documentation for chips conforming to a popular standard. But there is one key mistake by Apple that makes the whole thing a lot worse.
The standard is the Smart Battery Specification. Consumer electronics batteries, especially on complex devices like computers, are complex devices themselves. They interface with the host system to allow for fine control of the power in the system. It turns out that if a program has the correct code to do so, it can query the device for its status and command it, as well as the charger. It can also command it to do things which cause damage to the battery, possibly damaging it, possibly making the battery unusable. In fact, Miller says it's easy to ruin a battery by misprogramming it. But even though the SBS goes to great lengths to preserve safety, a program in control of the system might even be able to overheat the battery and cause a fire.
Charlie Miller is one of the best-known characters in the vulnerability research business. For years he has been famous as the only person to do serious research on Apple products, especially on Macs. He has a shelf full of Pwnie awards to show how good he is at it. @0xcharlie, as he's known on Twitter, will be speaking next week at the BlackHat conference in Las Vegas, presenting the paper I read (at which point it will be fully available to the public), but he has no Pwnie nominations this year. He's probably been too busy with his new job as Principal Research Consultant for Accuvant LABS, the security assessment and research division of Accuvant.
Being a Mac guy, Miller worked with Macs for this testing, but it's reasonable to presume that the problems might exist on other notebooks as well. SBS is a popular specification. The attacker would need to do Windows programming -- there are plenty of references on power management in Windows—or it may be necessary to talk directly to the devices through a device driver interface, but it certainly can be done. He doesn't have a complete list of which Macs are vulnerable, but every one he tested was, one going back to 2007.
But it can't necessarily be done on any SBS-compliant system because they didn't necessarily make the mistake that Apple did: They used the default passwords for accessing and programming the battery using the Texas Instruments power management chipset. Out of the box, batteries in these systems are "sealed" to prevent software from modifying their settings. To unseal them you need to authenticate to them using a password. Apple used the default TI passwords for unsealing the battery and entering "full access mode". Miller was able to look these up in the Texas Instruments docs and use them.
Changing the passwords in an update is probably futile for Apple because updates can be reverse-engineered. All they can do is to protect new systems from here on. Whether other notebook manufacturers make the same mistake is not clear, but we'll probably find out soon.
In the process of this testing, Miller "bricked" 7 Mac batteries
If you want to do so, you can actually reprogram the battery firmware. It's important to point out that an attacker would need to be able to run privileged code on the system, possibly to run it as the root user. This is hard to do without some other compromise in place and would be very hard, if at all possible, in a "drive-by" fashion as on a web page. But, combined with social engineering to get code on the system and, perhaps, a privilege escalation vulnerability, it could be done.
It's hard enough designing a power management spec that maintains safety under normal specifications. Engineers must be frustrated to have to consider the possibility of malicious power management code, but then here we are. It's possible and it's not too crazy to imagine it being done. And now that it's well-known and documented it's up to the battery, chipset and computer companies to take reasonable steps to account for it. None of that can help the users of existing vulnerable systems.
This is what happens with complexity. To make our batteries smart and efficient we need to make them complex. When you make them complex you make them more vulnerable to attack. When you don't take care to protect these vulnerable systems, users are at risk. Unfortunately, complexity is all around us and growing.
FROM 2 SOURCES
In his forthcoming talk, Miller plans to will demonstrate how to modify the firmware used by Apple smart batteries, disable their anti-tampering checksum, and reprogram the battery firmware using "a simple API," which he plans to release publicly. While Miller's research focused on MacBook, MacBook Pro, and MacBook Air laptops from Apple--with whom he's already shared the results of his research--he suspects that Windows laptop batteries would be susceptible to firmware attacks.
Miller reverse-engineered Apple's battery firmware after the company issued a related firmware update in 2009. From there, he discovered the default password used to secure batteries, and from there, he learned how to read the values from that firmware and alter how the battery firmware interacts with the laptop. To date, Miller said he's successfully bricked seven Mac laptops via battery firmware hacks.
Interestingly, however, reprogramming the battery firmware could also allow an attacker to introduce persistent malware into the laptop. "You could put a whole hard drive in, reinstall the software, flash the BIOS, and every time it would reattack," Miller told Forbes.com. "There would be no way to eradicate or detect it other than removing the battery."
Despite the apparent threat vector, battery firmware offers essential functionality, providing giving users precise readings of a laptop's remaining charge, operating time, and estimated recharge time, while also allowing the battery to control the voltage and current being provided by a charger.
But how feasible are attacks against battery firmware? Offering some perspective, Paul Ducklin, head of technology for Sophos in the Asia Pacific region, said in a blog post that when it comes to reprogramming controllers with field-updatable firmware, laptop batteries aren't the only option. Indeed, an attacker could also target "the motherboard itself, your wireless card, your 3G modem, network card, graphics device, storage devices, and much more," he said.
To address the Apple laptop battery firmware vulnerability, Miller plans to release a utility called "Caulkgun" that will allow Apple users to change their laptop battery passwords. On the upside, the utility would prevent an attacker from exploiting an Apple battery pack's embedded controller. On the downside, it would block any Apple patches, performance enhancements, or security updates from updating the battery's firmware, unless the user first restored the battery's default password.
How could this be? What design error in the system made it possible? None. Miller wrote programs based on published documentation for chips conforming to a popular standard. But there is one key mistake by Apple that makes the whole thing a lot worse.
The standard is the Smart Battery Specification. Consumer electronics batteries, especially on complex devices like computers, are complex devices themselves. They interface with the host system to allow for fine control of the power in the system. It turns out that if a program has the correct code to do so, it can query the device for its status and command it, as well as the charger. It can also command it to do things which cause damage to the battery, possibly damaging it, possibly making the battery unusable. In fact, Miller says it's easy to ruin a battery by misprogramming it. But even though the SBS goes to great lengths to preserve safety, a program in control of the system might even be able to overheat the battery and cause a fire.
Charlie Miller is one of the best-known characters in the vulnerability research business. For years he has been famous as the only person to do serious research on Apple products, especially on Macs. He has a shelf full of Pwnie awards to show how good he is at it. @0xcharlie, as he's known on Twitter, will be speaking next week at the BlackHat conference in Las Vegas, presenting the paper I read (at which point it will be fully available to the public), but he has no Pwnie nominations this year. He's probably been too busy with his new job as Principal Research Consultant for Accuvant LABS, the security assessment and research division of Accuvant.
Being a Mac guy, Miller worked with Macs for this testing, but it's reasonable to presume that the problems might exist on other notebooks as well. SBS is a popular specification. The attacker would need to do Windows programming -- there are plenty of references on power management in Windows—or it may be necessary to talk directly to the devices through a device driver interface, but it certainly can be done. He doesn't have a complete list of which Macs are vulnerable, but every one he tested was, one going back to 2007.
But it can't necessarily be done on any SBS-compliant system because they didn't necessarily make the mistake that Apple did: They used the default passwords for accessing and programming the battery using the Texas Instruments power management chipset. Out of the box, batteries in these systems are "sealed" to prevent software from modifying their settings. To unseal them you need to authenticate to them using a password. Apple used the default TI passwords for unsealing the battery and entering "full access mode". Miller was able to look these up in the Texas Instruments docs and use them.
Changing the passwords in an update is probably futile for Apple because updates can be reverse-engineered. All they can do is to protect new systems from here on. Whether other notebook manufacturers make the same mistake is not clear, but we'll probably find out soon.
In the process of this testing, Miller "bricked" 7 Mac batteries
If you want to do so, you can actually reprogram the battery firmware. It's important to point out that an attacker would need to be able to run privileged code on the system, possibly to run it as the root user. This is hard to do without some other compromise in place and would be very hard, if at all possible, in a "drive-by" fashion as on a web page. But, combined with social engineering to get code on the system and, perhaps, a privilege escalation vulnerability, it could be done.
It's hard enough designing a power management spec that maintains safety under normal specifications. Engineers must be frustrated to have to consider the possibility of malicious power management code, but then here we are. It's possible and it's not too crazy to imagine it being done. And now that it's well-known and documented it's up to the battery, chipset and computer companies to take reasonable steps to account for it. None of that can help the users of existing vulnerable systems.
This is what happens with complexity. To make our batteries smart and efficient we need to make them complex. When you make them complex you make them more vulnerable to attack. When you don't take care to protect these vulnerable systems, users are at risk. Unfortunately, complexity is all around us and growing.
FROM 2 SOURCES
Comments
"oh, my Mac is better than your PC because it cost £91283792387!!!!"
"Mac's are invulnerable to viruses"
etc etc etc.
Have fun with your shitty batteries :facepalm:
It would be interesting to find out how many other laptop manufacturers also use the TI controller with the default password. It's more of a serious threat on Apple machines though; it's safe to assume that almost every machine running OSX will be Apple hardware, whereas not every machine running Windows will have vulnerable hardware. Even if there was a list of PC laptops which suffered from the default password security hole, it's difficult to find out the model remotely to find out if the machine was in fact subject to battery fuckery.
As far as I know, Foxconn has a big part in the hardware design of Apple's computers, so I'd hazard a guess that quite a few laptops OEM'd by them may have the same hole.
You know I am actually shitting minor bricks reading the OP. If what he says is correct (waits for the demo) then even Windows Laptops can be cracked. I mean no one bothered with it now but after this goes public I am sure everyone will be working hard to find a loophole in Windows. Imagine trying to troubleshoot a system like that!
I do hope Apple takes some steps, like creating a patch which changes the patch perhaps.