Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

Hacking Laptop Batteries

Laptop Battery Firmware

Hacking Laptop Batteries

Laptop Battery Firmware

Hacking Laptop Batteries

The firmware within your Mac computer battery can be compromised, says a security researcher who discovered the default passwords left out in the clear. Next week in Las Vegas, Accuvant’s security researcher Charlie Miller plans to reveal the full details (and a solution) at his talk at Black Hat USA. When you stop and think about it attacking the firmware on a battery pack makes perfect sense.

Batteries (and not just in Mac computers) use microcontrollers to tell the lithium battery when it’s full and when it needs to be recharged. The chips also to report to the operating system an interim status report you can monitor your battery usage and be prompted in advance to recharge your battery. So it also makes sense that updates to the firmware can improve the life of your battery—or severely degrade it.

Miller found that the batteries shipped with Apple Macbooks, Macbook Pros and Macbook Airs had their firmware default password exposed, allowing anyone who bothered to look to hack the battery. What good is hacking the battery, you say?

Related Reading: Attacks on Mobile and Embedded Systems: Current Trends

Miller told Forbes.com and other publications that a cybercriminal could permanently ruin the battery. By entering the wrong codes, Miller managed to “brick” several Mac batteries, which cost him about $130 each. He could have also caused the battery to explode, something Miller says he didn’t try in part because he works at home.

More intriguing is that cybercriminals could also install malware that would remain on the device no matter how many times you reinstalled the operating system. That’s because traditional methods of eradicating persistent malware would fail: reinstalling the operating system, replacing the hard drive, re-flashing the BIOS—none of these would remove the true source of the infection. We need to consider replacing the battery now as well.

There are of course the fine details. Getting to the battery microcontroller requires some work. Attacking the battery would require finding another vulnerability in the interface between the chip and the operating system. But Miller said that’s not much of a barrier. How many operating systems include batteries as an attack vector? Miller has informed both Apple and Texas Instruments, the company that makes the microcontrollers, about his research.

Advertisement. Scroll to continue reading.

Miller’s no stranger to Apple products. Earlier this year, he and a handful of other security researchers were given an advance look at Apple’s new Lion operating system.

It’s good that researchers like Miller are considering the devices holistically. In previous columns I talked about hacking mice, keyboards, and even office printers. Anything with a microcontroller and/or access to the Internet needs to be secure. Just because these vectors haven’t been exploited widely doesn’t mean that they won’t someday.

There’s an Embedded Security track at Black Hat next week, and I’ll be there finding out what other common gadgets are vulnerable to new attacks. Just as the cybercriminal often thinks outside the box to find a Zero Day, or develop a new vector of attack. As the self-appointed Good Guys, we should also be exercising our creative minds and, at the very least, anticipating some of these new attacks as well.

Related Reading: Attacks on Mobile and Embedded Systems: Current Trends

Related Reading: Introduction to Security for Smart Object Networks Devices w/Free Software Trial

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

DARPA veteran Dan Kaufman has joined Badge as SVP, AI and Cybersecurity.

Kelly Shortridge has been promoted to VP of Security Products at Fastly.

After the passing of Amit Yoran, Tenable has appointed Steve Vintz and Mark Thurmond as co-CEOs.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.