back to article MacBook batteries susceptible to hack attacks

Now that Apple has endowed the Mac operating system with state-of-the-art security protections, a researcher has devised new attacks that target the machine's battery. Charlie Miller, well known for his numerous attacks on iPhones and Macs, may not have achieved his ultimate objective of making a Mac spontaneously combust, but …

COMMENTS

This topic is closed for new posts.
  1. Tom Chiverton 1

    fuuuuuuuuck

    That is all.

    1. Anonymous Coward
      Flame

      Not that big of a deal.

      Change your battery. Not that big of a deal.

      Steve

      Sent from my iPhone

      P.S. Oh wait... you can't. Change your lappie. Not that big of a deal... Now why is my iPhone getting so ho.............

      1. Law
        Happy

        I can change my battery...

        ... but it was last non-unibody macbook pro so meh! :)

  2. Kingsley
    Thumb Up

    Hollywood?

    Can you imagine it? a virus that fulfils the Hollywood dream of permanently shutting down computers! Yes i know this exploit is a long way from that.. but imagine! (Would need to play some kind of countdown/evil face laughing first or the likes)

    1. Anonymous Coward
      Paris Hilton

      AA battery

      Soon they will have firmware too and a GPS and GSM all built into a tiny spec within the battery and many TB of flash so when you put a battery in your camera it will also take a copy and store it along with GPS and possibly send by WIFI

  3. HollyHopDrive

    given how good apple are....

    ....at security this is one hell of a school boy error.

    1. Dan 55 Silver badge
      Thumb Down

      That's because Apple aren't good at security

      Most of the security they do have comes from the open source that Mac OS X is based on (BSD and friends).

      If ever there's an exploit out there in the wild that takes advantage of Apple software (Safari, iTunes, etc...) it can anything up to a month for a patch to come though Software Update. Same for the open source programs that run under the hood like the scripting languages, CUPS, or Samba (which it seems they've stopped updating, the version running is so antiquated it's a joke).

      They either stick the security update in the next version of Apple software which has a tiny change in functionality to justify the update or push out a security roll up which addresses a number of issues that have been piling up over the previous weeks/months.

      They've made this mistake before with hardcoded root passwords in the iPad and iPhone. Guess what, they've gone and done it again here.

      They still haven't got rid of the 'automatically open safe files' option in Safari which happily runs installer scripts which has been used to download malware.

      I honestly prefer Microsoft's way of doing things when it comes to security updates. Perhaps not Microsoft's security in itself. Mac OS X started with better base but it seems to have made them lazy.

      1. Volker Hett

        Somehow

        I'm not so sure about Microsofts batteries, though.

        1. Anonymous Coward
          Anonymous Coward

          @Volker

          Err... The batteries in systems running MS' software are controlled by the hardware manufacturers, it's their firmware updates that protect their hardware, nothing to do with MS.

          1. Volker Hett
            Joke

            Oh, really?

            I didn't know that.

        2. Anonymous Coward
          Facepalm

          @ Volker

          Microsoft don't make batteries.

          1. Anonymous Coward
            Anonymous Coward

            @Your Retarded

            I think that was the point. Irony bypass?

            Oh and I haven't got a retarded, whatever one of those might be.

            1. Anonymous Coward
              Happy

              Haven't got one?

              Fear not, for I am he!

          2. Volker Hett
            Joke

            Good to know!

            That must be the reason why the Sony cells in my Toshiba blew up, imagine they were from Microsoft.

      2. Anonymous Coward
        Anonymous Coward

        Security through obscurity

        in other words.

      3. ThomH

        @Dan 55

        Minor correction: Apple have never hard coded the root password for iOS devices; certain jail break tools used to do that, creating a security flaw for users of those tools only.

        I otherwise agree with you mostly, Apple's attitude seemingly being that security updates aren't very urgent.

        One thing I'm unsure of from the article: how do you perform the attack? Do you need physical access and/or root permissions? Anything of that nature that comes through Software Update requires an administrator password - does this flaw get around that somehow?

        1. Dan 55 Silver badge

          @ThomH

          The original iPhones and iPod (not iPad, that was my mistake) had a hardcoded root password.

          http://www.builderau.com.au/blogs/byteclub/viewblogpost.htm?p=339270810

          Then people put all sorts of goodies like SSH on their jailbroken devices, which made it possible to get in using the same passwords.

          1. ThomH

            @Dan 55

            I stand corrected, but in my defence I was thinking of a careless security mistake in a piece of software that was actually exploited. As the article you link to says "Having the passwords will not do anybody any good for the moment [...] nobody even seems certain that the accounts access the machine at all". However it was my mistake to conflate the two things and to claim that you were wrong.

            As to the rest of my original post, I'm still uncertain as to how one would put damaging software onto an Apple battery. I don't deny that there's a potential security problem here (though if the battery firmware could be altered only by a piece of software already running as root on the machine then I might, since then logically the number of attack vectors isn't increased, just the number of attacks) but I'm curious what a prudent person should do in response.

            1. Anonymous Coward
              Anonymous Coward

              Any number of things.

              It really depends how much control the embedded chip has.

              If your just restricting yourself to the battery, you could get it to overcharge the cells, which can result in damage, overheating, melting of the battery compartment, release of Hydrogen which is potentially explosive, potentially damaging the laptop itself.

              on a software level, The chip obviously does have a communication method to the main CPU (presumibly to allow the CPU to read battery level and update the firmware in the first place) , and as with any method of communication, how much software damage it depends on the security and checking inherent in this communction, and how the program on the other end responds to attempts to cause buffer overflows, bad parameter passing, malformed messages, et al.

  4. K. Adams
    Boffin

    Spontaneous combustion...

    ... may not be an impossible result, if the chip controls (to a certain extent) the charging and battery safety circuitry, and can be hacked so voltage or current detection thresholds are skewed appropriately.

    For example (and very simplistically), your typical, properly-maintained, not-worn-out lithium-ion battery cell is charged to around 4.2 volts. Once the 4.2 volt threshold is reached, charging current will begin to drop. When the charging current drops to about 3% of the nominal charging current, the charger will usually exit its continuous-charge mode, and will either wait until cell voltage drops to a certain level before starting a new charge cycle, or will trickle-charge the cell intermittently using a timer.

    If the chip being discussed controls charging cycles and safety, and its detection thresholds can be overridden so that it (hypothetically) reads the 4.2 volt full-charge threshold as 3.9 volts, and tells the charger to keep pushing a 100% nominal charge current into the battery even though it is already fully charged, the battery **could** conceivably overheat, rupture, and catch fire from the abuse.

    Not something I'd like to encounter, if I have a habit of actually using my laptop on my lap, such as on the train while I'm commuting to/from work...

    1. Anonymous Coward
      Anonymous Coward

      If, maybe, perhaps if, then if

      Wake me up when any of them are true.

      1. Anonymous Coward
        Alert

        Yes…

        http://www.theregister.co.uk/2003/01/17/dell_laptop_named_in_sa/

        http://www.theregister.co.uk/2011/05/31/hp_laptop_battery_recall/

        http://www.theregister.co.uk/2005/05/20/apple_recalls_batteries/

        http://www.theregister.co.uk/2008/10/30/sony_battery_recall_october_2008/

        You were saying?

        Those were as a result of a bad batch of batteries, or third party batteries, but they prove just how volatile the things can be. Lithium Cobalt were shockers for this. Lithium-Polymer(-hybrid) are also very volatile.

        This is why they have fancy charge controllers that continually monitor the heat, current flow and individual cell voltage, trying to balance the cells' voltage and ensure current demands stay within safe limits.

        Should someone screw with this, the results could be disastrous.

    2. Anonymous Coward
      Devil

      re: Spontaneous combustion

      I agree with all your points, except that a typical smart battery has two controllers, one to control the charge safely and the other is the 'fuel guage' which amongst other things drives the row of LEDs on the outside of the battery. Neither of these has direct control over the current in or out; the laptop's PSU handles that which communicates with these controllers over an I2C link. But either can simply disconnect the cells entirely by switching off FETs in series with the battery terminals if they detect something is awry.

      Both controllers would probably need to be doctored to actually get the battery to go up and then it could only happen whilst on charge.

      As a last line of defence there are usually a couple of thermal fuses in series too which one would hope would go open circuit before any actual explosion.

    3. Anonymous Coward
      Terminator

      historical precedent

      Philip of Macedonia sent Sparta a message, "You are advised to submit without further delay, for if I bring my army into your land, I will destroy your farms, slay your people, and raze your city."

      They replied "If".

  5. Anonymous Coward
    Facepalm

    Does not compute

    Apple computers dont get viruses or spam... most apple users swear so

    1. Volker Hett

      Yes

      that's because nobody uses Apple Computers and thus it makes no sense to write malware for a small niche market, better attack something more users use, like Android tablets.

  6. Anonymous Coward
    WTF?

    Firmware? Controllers?

    Am I *that* behind the times?? When did batteries start coming with controllers, firmware, and updates..??

    1. K. Adams
      Boffin

      "When did batteries start coming with controllers/firmware/updates..??"

      About the time device manufactures started moving from Nickel Cadmium [NiCd] and (early) Nickel Metal Hydride [NiMH] to Lithium Ion and Lithium Polymer...

      Lithium-based batteries have a significantly higher energy density per unit mass than the Nickel-based batteries, but they are also constructed from chemicals that are much more volatile, and so require active safety measures (such as charge control and safety circuits) to prevent criticality excursions...

      1. Anonymous Coward
        Anonymous Coward

        I'm just going out...

        ...On a criticality excursion.

        I may be some time.

    2. Black Betty

      My money is on when Steve decided...

      ...to borrow a page from the printer manufacturer's book, and use a chip to block third party products.

      In the name of protecting the customer from dodgy products of course.

      1. Tom 35

        When?

        They have been doing it for some time. But to tax 3rd party products. You need to buy a chip from Apple to make your iPhone/Pod add on work.

  7. Sorry that handle is already taken. Silver badge

    State of the art

    I thought that opening line read "state of the art security problems", which seemed plausibly Reg style so I didn't immediately pick up on it. Got a chuckle out of it nonetheless.

  8. CmdrX3
    Mushroom

    A while ago

    This puts me in mind of a nasty version of Dark Alex's Pandoras battery for Sonys PSP which targeted the Battery's firmware and turned the battery into a very nice modding tool.

  9. Turgut Kalfaoglu

    very clever hack!

    That's a very clever hack. Perhaps it just shows that we are overly computerized now. A battery with firmware that's remotely upgradable?

  10. bazza Silver badge
    Mushroom

    Questions questions questions!

    If zapware were to get on to a laptop, would Apple honour a warranty? And if the battery could be set to become dangerous, with whom would the liability rest?

    If battery fires are a real possibility Apple would need to sort that out sooner rather than later. Millions of laptop batteries going up in smoke would almost certainly lead to expensive court cases at the very least, with deaths at the other end of the scale of possibilities. Sounds like they ought to be able to push out a fix as a software update. Also airlines would certainly be well advised to consider whether Mac laptop batteries were safe enough to be allowed on flights.

    But hang on a mo - has anyone checked to see if this is a feature of laptop batteries in general? I don't suppose PC laptop batteries are so very different.

  11. Giles Jones Gold badge

    Erm

    Guess what, you can brick a PC by using some Windows BIOS flash software.

    I'm sure there's some software that could do the same for SATA drive firmware.

    1. Adam Foxton
      Facepalm

      Neither Windows nor SATA drives

      are explosive. Lithium batteries can be if you screw with their controllers.

    2. John Bailey

      iCriticism deflection strategy number 2..

      Everybody else has the same problem.. Even if they don't really.

    3. Tim Bates
      Joke

      SATA firmware...

      There was a SATA firmware that could disable your computer... Seagate made it for their earlier 1TB drives (and all others in that series). Version SN04 if I'm not mistaken (I've got one sitting in front of me...).

  12. Tchou
    FAIL

    Guess What

    Windows or Linuw never branded themselves State of the art in security nor World most Advanced, and didn't called their tech support Geniuses.

    They have their weaknesses, but at least they are more honests when it comes to talk about what they do.

  13. Anonymous Coward
    Anonymous Coward

    RE Erm

    Yes you can kill a PC by flashing the BIOS with a corrupt version, yes you can do the same with a SATA drive but both are recoverable from if you have the right knowledge. That is the same as them containing persistent malware that has the potential to give control over that computer regardless of how many times you re-install the OS or maybe even overide safety protocols to make the battery explode how exactly?

    The next question is will Apple be providing a firmware flash tool for the battery so that if somehow you do get a tainted battery you can fix it with a clean version of the firmware or will they rely on the goodwill of a 3rd party and stick with his password change fix to hopefully prevent infection in the first place? They could always take the default Apple position of sticking their fingers in their ears shouting lalalalalalalalala there is no problem, Apple are perfect and any problems you may encounter are entirely your own fault as it couldn't possibly be us.

    1. Brewster's Angle Grinder Silver badge
      Pirate

      Some PC motherboards have BIOS bricking protection...

      If my BIOS gets corrupted a "backup BIOS" reflashes the main one with a factory copy.

    2. Jason Togneri
      Boffin

      @AC 23.7 11:52 / Rootkit

      "How exactly is that the same as them containing persistent malware that has the potential to give control over that computer regardless of how many times you re-install the OS or maybe even overide safety protocols to make the battery explode?"*

      They have been putting "persistent malware" on hard drives and flash BIOS chips for years. It's called rootkits.

      *paraphrased slightly for legibility

  14. Patrick O'Reilly

    black hat?

    Surely a blackhat wouldn't a) tell everyone that the flaw exsisted. b) release a tool to fix it.

    1. Anonymous Coward
      Alert

      Black Hat, not blackhat

      They didn't say he *is* a blackhat, just that he's going to release details at the Black Hat conference.

      If nobody released details there, there wouldn't be a conference at all.

    2. Random Handle

      @Patrick

      Miller is ex-NSA and very much a white hat - unless you're Apple I suppose.

  15. Hardcastle the ancient

    World gone mad

    If the batteries have firmware and a password, I think we have gone past the point of no return. If you /must/ have a brain in a battery, why isn't it mask programmed? Just how smart does a battery need to be?

    It seems like madness to me.

    1. bazza Silver badge

      @Hardcastle The Ancient: Costs, I expect

      "If you /must/ have a brain in a battery, why isn't it mask programmed? Just how smart does a battery need to be?"

      Saves having to spend money on doing a mask for every single different battery design, much cheaper. Of course, 'cheaper' is a word that has both short and long term considerations. Business doesn't do long term very well, and a pricey round of court cases can turn previous short term profit gains into an expensive option.

  16. Anonymous Coward
    Anonymous Coward

    Authenticated challenge-response would have raised the bar

    Some batteries in some products do have it.

  17. John Savard

    Outrageous

    It is absolutely outrageous and unacceptable that there isn't some way to push a button on a battery and totally reset the software, so that a user can quickly and easily fix such a thing without having to spend money to take it in to be fixed.

    Of course, the idea of a battery having a little computer inside it is rather strange as well.

    We've already seen, though, that many Macintosh models don't have an eject hole for their CD drives, so this kind of deficiency has been encountered before. A Mac may be much less subject to viruses than a PC, but the system's inflexibility sometimes deprives the user of recovery options.

  18. LPF

    hold on a second

    Surely if you have access to the battery you alreafy have access to the damn machine?

    1. bazza Silver badge

      @LPF, not necessarily so...

      Mac's aren't exactly immune to remote code execution attacks. It wouldn't take much more than a booby trapped website (www.makemymacgoboom.com? Anyone bought that one yet?) to run the necessary code on anyone's Mac who happened to visit it.

      Human nature being what it is, it will only be a matter of time before some script kiddie tries to detonate Macs all around the world simultaneously courtesy of a trojan payload with a timed execution time, "just for the fun of it".

  19. Anonymous Coward
    Flame

    Homeland Security

    Will make sure that the Internet gets shut down to stop something like this if it is released, no questions asked.

    Its a matter of potentially thousands of fires within a short space of time, no way will they let this happen without a fight.

    Maybe Obama might get to use the infamous Internet Kill Switch aka the Big Red Button.

    AC/DC

  20. slooth
    Stop

    So: not SO secure..........

    So, Lion is more secure, more robust.....

    Lets see:

    a) we have bad pre-emption by vendors - http://www.theregister.co.uk/2011/07/22/mac_lion_kills_celerra/ - yes, they should have run beta versions.

    b) we have bad assumptions by writers - http://www.theregister.co.uk/2011/07/21/mac_os_x_lion_security/

    If I can kill a machine by attacking the battery, how is this more secure than any other operating system?

    Me thinks writers are too quick to spout off about the newest, bestest OS for xx-machine out there.

    Geez, at least let it run a month before deciding how good or bad it is!

  21. Mr Young
    Happy

    Aaah, good old micros - they are everywhere

    Did this guy actually read the code back from the battery micro? Did somebody somewhere forget to set the code protect options bits? Or maybe it's a default password free for all? Oops either way and I guess that'll get sorted pretty quickly

  22. Matt Bucknall
    Coat

    You couldn't even take it to the genius bar.

    Yeah, must be real bad. If those guys can't sort it out, no one can!

  23. Anonymous Coward
    Anonymous Coward

    Thank you, and goodnight

    I wondered when the rock bottom level of stupidity would finally reach The Reg.

    The writers are still as fantastic as they've ever been - and do attend the conferences (Hi John - how are you?)

    But the commentards... do you now need to fail a technology IQ test to post...?

    1. Mr Young
      Happy

      "rock bottom level of stupidity?" Come on?

      I, at least, could try harder if this isn't good enough for you

  24. Joe Montana
    Megaphone

    Apple specific, or???

    Is this actually an Apple specific issue, or does this apple to other machines as well?

    It's not uncommon for someone to initially target apple with their research because its a high profile target, only to later admit that other vendors have exactly the same issues.

    1. Tim Bates
      FAIL

      Of course...

      It would certainly apply to other vendors who are stupid enough to have batteries that can have firmware arbitrarily updated... But at this stage, Apple is singled out because that's the vendor it's been discovered with. Until someone goes and checks other vendors products, no one will know.

  25. Andy Farley
    Thumb Down

    Making things clever

    is often really dumb.

  26. johnnymotel
    Holmes

    the original article...

    http://blogs.forbes.com/andygreenberg/2011/07/22/apple-laptops-vulnerable-to-hack-that-kills-or-corrupts-batteries/

    I would say that other vendors using similar batteries will have a similar issue as Apple. Miller is a Mac security expert and only looks at Mac. The fact that he is the first to discover it, indicates how obscure this attack is. However, I am certain that Apple and others will produce at update to create a random password.

    I am certain Mr Miller had direct access via Terminal to do this hack.

    So long as Mac users run their main account as Standard and not Admin, intelligent users are well protected, plus if the upgrade to Lion they will be even more protected.

  27. ColonelClaw
    FAIL

    Nothing to see here

    Next it will be "MACBOOK IS SUSCEPTIBLE TO ATTACK FROM NAKED LUNATIC WITH AXE"

    I'm willing to bet a new Macbook Air that this 'vulnerability' will never be exploited, this being barrel-scraping at it's finest.

  28. Alexander Rogge

    Airport security trouble

    Wait until airport security finds out about this. We've seen the Dell batteries catching fire, and now we find out that laptop batteries can be hijacked remotely and set to explode. No more laptops on planes, and this after the MacBook Air just got the Transportation Security Administration's approval for carry-on luggage without suspicion.

This topic is closed for new posts.

Other stories you might like