fuuuuuuuuck
That is all.
Now that Apple has endowed the Mac operating system with state-of-the-art security protections, a researcher has devised new attacks that target the machine's battery. Charlie Miller, well known for his numerous attacks on iPhones and Macs, may not have achieved his ultimate objective of making a Mac spontaneously combust, but …
Most of the security they do have comes from the open source that Mac OS X is based on (BSD and friends).
If ever there's an exploit out there in the wild that takes advantage of Apple software (Safari, iTunes, etc...) it can anything up to a month for a patch to come though Software Update. Same for the open source programs that run under the hood like the scripting languages, CUPS, or Samba (which it seems they've stopped updating, the version running is so antiquated it's a joke).
They either stick the security update in the next version of Apple software which has a tiny change in functionality to justify the update or push out a security roll up which addresses a number of issues that have been piling up over the previous weeks/months.
They've made this mistake before with hardcoded root passwords in the iPad and iPhone. Guess what, they've gone and done it again here.
They still haven't got rid of the 'automatically open safe files' option in Safari which happily runs installer scripts which has been used to download malware.
I honestly prefer Microsoft's way of doing things when it comes to security updates. Perhaps not Microsoft's security in itself. Mac OS X started with better base but it seems to have made them lazy.
Minor correction: Apple have never hard coded the root password for iOS devices; certain jail break tools used to do that, creating a security flaw for users of those tools only.
I otherwise agree with you mostly, Apple's attitude seemingly being that security updates aren't very urgent.
One thing I'm unsure of from the article: how do you perform the attack? Do you need physical access and/or root permissions? Anything of that nature that comes through Software Update requires an administrator password - does this flaw get around that somehow?
The original iPhones and iPod (not iPad, that was my mistake) had a hardcoded root password.
http://www.builderau.com.au/blogs/byteclub/viewblogpost.htm?p=339270810
Then people put all sorts of goodies like SSH on their jailbroken devices, which made it possible to get in using the same passwords.
I stand corrected, but in my defence I was thinking of a careless security mistake in a piece of software that was actually exploited. As the article you link to says "Having the passwords will not do anybody any good for the moment [...] nobody even seems certain that the accounts access the machine at all". However it was my mistake to conflate the two things and to claim that you were wrong.
As to the rest of my original post, I'm still uncertain as to how one would put damaging software onto an Apple battery. I don't deny that there's a potential security problem here (though if the battery firmware could be altered only by a piece of software already running as root on the machine then I might, since then logically the number of attack vectors isn't increased, just the number of attacks) but I'm curious what a prudent person should do in response.
It really depends how much control the embedded chip has.
If your just restricting yourself to the battery, you could get it to overcharge the cells, which can result in damage, overheating, melting of the battery compartment, release of Hydrogen which is potentially explosive, potentially damaging the laptop itself.
on a software level, The chip obviously does have a communication method to the main CPU (presumibly to allow the CPU to read battery level and update the firmware in the first place) , and as with any method of communication, how much software damage it depends on the security and checking inherent in this communction, and how the program on the other end responds to attempts to cause buffer overflows, bad parameter passing, malformed messages, et al.
... may not be an impossible result, if the chip controls (to a certain extent) the charging and battery safety circuitry, and can be hacked so voltage or current detection thresholds are skewed appropriately.
For example (and very simplistically), your typical, properly-maintained, not-worn-out lithium-ion battery cell is charged to around 4.2 volts. Once the 4.2 volt threshold is reached, charging current will begin to drop. When the charging current drops to about 3% of the nominal charging current, the charger will usually exit its continuous-charge mode, and will either wait until cell voltage drops to a certain level before starting a new charge cycle, or will trickle-charge the cell intermittently using a timer.
If the chip being discussed controls charging cycles and safety, and its detection thresholds can be overridden so that it (hypothetically) reads the 4.2 volt full-charge threshold as 3.9 volts, and tells the charger to keep pushing a 100% nominal charge current into the battery even though it is already fully charged, the battery **could** conceivably overheat, rupture, and catch fire from the abuse.
Not something I'd like to encounter, if I have a habit of actually using my laptop on my lap, such as on the train while I'm commuting to/from work...
http://www.theregister.co.uk/2003/01/17/dell_laptop_named_in_sa/
http://www.theregister.co.uk/2011/05/31/hp_laptop_battery_recall/
http://www.theregister.co.uk/2005/05/20/apple_recalls_batteries/
http://www.theregister.co.uk/2008/10/30/sony_battery_recall_october_2008/
You were saying?
Those were as a result of a bad batch of batteries, or third party batteries, but they prove just how volatile the things can be. Lithium Cobalt were shockers for this. Lithium-Polymer(-hybrid) are also very volatile.
This is why they have fancy charge controllers that continually monitor the heat, current flow and individual cell voltage, trying to balance the cells' voltage and ensure current demands stay within safe limits.
Should someone screw with this, the results could be disastrous.
I agree with all your points, except that a typical smart battery has two controllers, one to control the charge safely and the other is the 'fuel guage' which amongst other things drives the row of LEDs on the outside of the battery. Neither of these has direct control over the current in or out; the laptop's PSU handles that which communicates with these controllers over an I2C link. But either can simply disconnect the cells entirely by switching off FETs in series with the battery terminals if they detect something is awry.
Both controllers would probably need to be doctored to actually get the battery to go up and then it could only happen whilst on charge.
As a last line of defence there are usually a couple of thermal fuses in series too which one would hope would go open circuit before any actual explosion.
About the time device manufactures started moving from Nickel Cadmium [NiCd] and (early) Nickel Metal Hydride [NiMH] to Lithium Ion and Lithium Polymer...
Lithium-based batteries have a significantly higher energy density per unit mass than the Nickel-based batteries, but they are also constructed from chemicals that are much more volatile, and so require active safety measures (such as charge control and safety circuits) to prevent criticality excursions...
If zapware were to get on to a laptop, would Apple honour a warranty? And if the battery could be set to become dangerous, with whom would the liability rest?
If battery fires are a real possibility Apple would need to sort that out sooner rather than later. Millions of laptop batteries going up in smoke would almost certainly lead to expensive court cases at the very least, with deaths at the other end of the scale of possibilities. Sounds like they ought to be able to push out a fix as a software update. Also airlines would certainly be well advised to consider whether Mac laptop batteries were safe enough to be allowed on flights.
But hang on a mo - has anyone checked to see if this is a feature of laptop batteries in general? I don't suppose PC laptop batteries are so very different.
Yes you can kill a PC by flashing the BIOS with a corrupt version, yes you can do the same with a SATA drive but both are recoverable from if you have the right knowledge. That is the same as them containing persistent malware that has the potential to give control over that computer regardless of how many times you re-install the OS or maybe even overide safety protocols to make the battery explode how exactly?
The next question is will Apple be providing a firmware flash tool for the battery so that if somehow you do get a tainted battery you can fix it with a clean version of the firmware or will they rely on the goodwill of a 3rd party and stick with his password change fix to hopefully prevent infection in the first place? They could always take the default Apple position of sticking their fingers in their ears shouting lalalalalalalalala there is no problem, Apple are perfect and any problems you may encounter are entirely your own fault as it couldn't possibly be us.
"How exactly is that the same as them containing persistent malware that has the potential to give control over that computer regardless of how many times you re-install the OS or maybe even overide safety protocols to make the battery explode?"*
They have been putting "persistent malware" on hard drives and flash BIOS chips for years. It's called rootkits.
*paraphrased slightly for legibility
"If you /must/ have a brain in a battery, why isn't it mask programmed? Just how smart does a battery need to be?"
Saves having to spend money on doing a mask for every single different battery design, much cheaper. Of course, 'cheaper' is a word that has both short and long term considerations. Business doesn't do long term very well, and a pricey round of court cases can turn previous short term profit gains into an expensive option.
It is absolutely outrageous and unacceptable that there isn't some way to push a button on a battery and totally reset the software, so that a user can quickly and easily fix such a thing without having to spend money to take it in to be fixed.
Of course, the idea of a battery having a little computer inside it is rather strange as well.
We've already seen, though, that many Macintosh models don't have an eject hole for their CD drives, so this kind of deficiency has been encountered before. A Mac may be much less subject to viruses than a PC, but the system's inflexibility sometimes deprives the user of recovery options.
Mac's aren't exactly immune to remote code execution attacks. It wouldn't take much more than a booby trapped website (www.makemymacgoboom.com? Anyone bought that one yet?) to run the necessary code on anyone's Mac who happened to visit it.
Human nature being what it is, it will only be a matter of time before some script kiddie tries to detonate Macs all around the world simultaneously courtesy of a trojan payload with a timed execution time, "just for the fun of it".
Will make sure that the Internet gets shut down to stop something like this if it is released, no questions asked.
Its a matter of potentially thousands of fires within a short space of time, no way will they let this happen without a fight.
Maybe Obama might get to use the infamous Internet Kill Switch aka the Big Red Button.
AC/DC
So, Lion is more secure, more robust.....
Lets see:
a) we have bad pre-emption by vendors - http://www.theregister.co.uk/2011/07/22/mac_lion_kills_celerra/ - yes, they should have run beta versions.
b) we have bad assumptions by writers - http://www.theregister.co.uk/2011/07/21/mac_os_x_lion_security/
If I can kill a machine by attacking the battery, how is this more secure than any other operating system?
Me thinks writers are too quick to spout off about the newest, bestest OS for xx-machine out there.
Geez, at least let it run a month before deciding how good or bad it is!
I wondered when the rock bottom level of stupidity would finally reach The Reg.
The writers are still as fantastic as they've ever been - and do attend the conferences (Hi John - how are you?)
But the commentards... do you now need to fail a technology IQ test to post...?
It would certainly apply to other vendors who are stupid enough to have batteries that can have firmware arbitrarily updated... But at this stage, Apple is singled out because that's the vendor it's been discovered with. Until someone goes and checks other vendors products, no one will know.
http://blogs.forbes.com/andygreenberg/2011/07/22/apple-laptops-vulnerable-to-hack-that-kills-or-corrupts-batteries/
I would say that other vendors using similar batteries will have a similar issue as Apple. Miller is a Mac security expert and only looks at Mac. The fact that he is the first to discover it, indicates how obscure this attack is. However, I am certain that Apple and others will produce at update to create a random password.
I am certain Mr Miller had direct access via Terminal to do this hack.
So long as Mac users run their main account as Standard and not Admin, intelligent users are well protected, plus if the upgrade to Lion they will be even more protected.
Wait until airport security finds out about this. We've seen the Dell batteries catching fire, and now we find out that laptop batteries can be hijacked remotely and set to explode. No more laptops on planes, and this after the MacBook Air just got the Transportation Security Administration's approval for carry-on luggage without suspicion.