Laptop Batteries May be Backdoor for Hackers
When it comes to securing your laptop against intrusion, it’s likely that you gave little thought to its onboard battery. But security researcher Charlie Miller believes that laptop batteries, particularly those found in Apple machines, could be exploited to cause all sorts of unpleasantness.
It turns out that laptop batteries are not the inert chunks of various metals like AAs or D-cells. On Apple laptops, the lithium-ion batteries include a microcontroller which performs numerous functions from monitoring charge levels to regulating heat. This controller is protected by two default passwords, which allow Apple to occasionally push software fixes and tweaks on battery performance through their normal system update process. One such update occurred in 2009, which Miller sifted through to recover the passwords.
With this in hand, Miller has shown that he can gain access to the battery’s micorcontroller and send whatever information he likes to the computer, “bricking” the battery so it cannot be recognized by the computer, or even rewriting the firmware entirely. This last point is particularly interesting, since Miller believes that with a little more tinkering it would be possible to load malware onto the battery which would launch at startup and force the computer to do whatever he wanted. He even suggested that remote overheating or physical damage to the battery — and we’re talking fire or explosions here — could possibly be done remotely.
Now before you call the bombsquad to carry off your laptop there are some major caveats here. First off, while Miller does believe that batteries could be physically damaged with malicious battery firmware, he has not proved that it could be done. Secondly, Miller admits that while he has found a way to load code onto the battery controller, he has yet to find a way to execute that code on the computer. To do so, he’d need to find a second vulnerability in how the battery and computer communicate. He did tell Forbes, however, “Presumably Apple has never considered that as an attack vector, so it’s very possible it’s vulnerable.”
Last, and more importantly, for any of this to actually matter, someone would have to have physical access to your battery. It’s unlikely that they could simply slip a malware-laden battery into your computer while you were distracted, although any battery purchased from a non-Apple retailer could be vulnerable to the activities of ne’r-do-wells.
Miller, for his part, has sought to close what he thinks is a dangerous loophole. He says he’s sent his battery research to Apple, as well as other companies whose products he investigated, along with a tool he calls CaulkGun. CaulkGun replaces the default battery microcontroller passwords with random strings, which would solve the problem at the cost of Apple’s ability to push updates to the battery. Miller also intends to publicly provide his findings at August’s Black Hat security conference.
With any luck, this issue will be patched up quick before anyone sees what else it can do.