A security researcher is to demonstrate hacking Mac laptop chips, causing them to run malicious code or overheat
The batteries used in many Mac laptop computers are vulnerable to attack, meaning they could potentially be made to explode or run malicious code, according to security researcher Charlie Miller, who will present his findings at the Black Hat security conference next week.
Miller’s research takes as its starting point the fact that laptop batteries now include advanced microcontrollers that interface with the computer’s operating system and control the battery’s ability to charge.
Mac laptops vulnerable
Miller, who is principal research consultant at Accuvant Labs, focused on an embedded controller used in lithium ion and lithium polymer batteries and used in a large number of MacBook, MacBook Pro and MacBook Air laptops.
He found that these controllers ship with a default password, which he discovered by analysing a 2009 Mac OS X security update that fixed battery issues.
Using that password, Miller was able to reverse engineer the firmware and the firmware flashing process for the controller in question. He found he could take complete control of the controller by modifying its firmware.
“I present a simple API that can be used to read values from the smart battery as well as reprogram the firmware,” he said in an abstract of the upcoming presentation. “Being able to control the working smart battery and smart battery host may be enough to cause safety issues, such as overcharging or fire.”
Miller told Forbes he will also present a fix for the issue in the form of a program called Caulkgun that changes the battery password to a random string. However, this also prevents Apple from using the default password to correct problems with the battery firmware, Miller noted.
The hack could allow an attacker to install malware on a battery that would continue to re-infect a system until the battery was removed, Miller said. This would require a separate hack into the interface between the OS and the battery, but such a hack would probably not be difficult, since Apple probably hasn’t guarded against such an attack vector, he told Forbes.
Another possibility could be to cause the battery to overheat or catch fire, although Miller acknowledged he hadn’t tested that particuar theory.
Miller said he has informed Apple of the issue. Apple didn’t respond to a request for comment as of the present writing.
The Black Hat conference runs from 30 July to 2 August in Las Vegas.
Last month HP began recalling 162,000 lithium-ion laptop batteries after a number of people reported incidents of injuries and burns affecting batteries that hadn’t been included in an earlier recall.
In May 2010 HP announced a recall programme affecting about 54,000 batteries, which itself followed on from a May 2009 recall affecting about 70,000 batteries, according to the US Consumer Product Safety Commission (CPSC).
Since the May 2010 recall, however, HP said it had received 40 reports of batteries that overheated and ruptured, resulting in seven burn injuries, one smoke inhalation injury and 36 instance of property damage, according to the CPSC.