Sophos Cloud Optix
Could hackers set fire to your Apple battery with a virus? Some recent news stories seem to suggest that they might.
One uncompromising headline certainly implies that battery-based malware – whether inferno-related or not – is an inevitability, trumpeting proudly that “Apple laptop batteries are the new attack vector.”
That remains to be seen, as does reverse-engineering maestro Charlie Miller’s talk at the upcoming Black Hat conference in Las Vegas, where the paper which spurred these headlines will be presented.
You’ve probably noticed that modern operating systems can tell you an awful lot about your battery, including its rated power, its current charge, how fast it’s charging, and more.
This is because the battery pack includes not just Lithium-based power cells, but also an embedded processor with its own firmware.
Miller spent some time – and quite a bit of his own money on “bricked” batteries, too! – working out how Apple Macbooks interact with their power packs, reverse engineering the battery firmware and working out how to modify it. According to reports, Miller was inspired to do this following an Apple software update in 2009 in which Apple tweaked its own battery firmware, thus helping him zoom in on the code which interacted with the battery device.
It turns out that the firmware is password protected, but the passwords (like the iPhone’s root password) are the same across all Apple hardware. This helps prevent inadvertent modification, but unsurprisingly doesn’t protect against a malicious attacker with administrative access.
Of course, the issue of malware in field-updatable firmware is not new. In the late 1990s, Taiwanese student Chen Ing Hau released the CIH, or Chernobyl, virus which included a warhead which tried to reflash your BIOS on 26 April.
If you had the right – or wrong – sort of BIOS chip, your BIOS was toast. On the next reboot, your PC would hang when it executed just its second instruction after power-up. So you couldn’t even get far enough to run an emergency BIOS reflashing utility.
Surprisingly, at least in my opinion, no malware ever appeared in the wild to do more than simply “brick” an affected PC’s BIOS, even though most personal computer BIOSes still aren’t protected with any sort of hardware safety interlock.
A hardware interlock wouldn’t prevent an attack against your BIOS, or against your battery. But it would certainly help prevent unexpected modification of system firmwares if all firmware updates required the user to hold down a button-operated switch, and if attempts to write to the firmware were to raise an alarm whenever the switch was not depressed.
So, are Apple laptop batteries the new attack vector? Could a virus set your beloved Macbook on fire?
The answer to the first question is: no more so that any other hardware in your system with field-updatable firmware. That includes the motherboard itself, your wireless card, your 3G modem, network card, graphics device, storage devices and much more. Including, of course, the battery pack. And – as Apple fans reading this article will be happy to note – the risk is not unique to Apple, though Charlie Miller’s paper is.
The answer to the second question seems to be: not if the battery is correctly manufactured. As Andy Greenberg points out on Forbes.com, “the batteries [Miller] examined have other safeguards against explosions: fuses that contain an alloy that melts at high temperatures to break the circuit and prevent further charging.”
challenge accepted
This article was really boring and dull. I usually re post these on Facebook and get a standing ovation for how interesting and enlightening they are, especially the Facebook scam links. Thank God I read this one before I blindly shared it.
Sorry to have disappointed you. Perhaps you could tweak the headline when you re-post the article? For example, "Could hackers set fire to your Apple battery with a virus which infiltrated your computer via a Facebook scam?"
I however really enjoyed the read, nice and refreshing change to Anon stealing all the content along with Facebook scams.
*Thumbs up*
Does other batteries work the same way? I.E. Dell battery packs?
Do they have dedicated firmware?
Was this post intended to be informative, to scare people or just to get some story out on the web ?
Hmmm. That's something you're supposed to decide for yourself, isn't it?
However, I'm sure it's not meant to be scary. Otherwise, the author surely wouldn't have played _down_ the headines which are appearing elsewhere (like "Apple laptop batteries are the new attack vector"), and wouldn't have argued that malware to immolate your battery is decidely _unlikely_ unless there's a manufacturing flaw.
As for being informative – that depends on you. It was obviously informative to some readers, because they've said so in various places. At least the article didn't focus only on the risk to Apple batteries like most of the other articles on the topic seem to have done…
Gee some people….?? Why you asking if it was intended to be informative – if you were informed then yes, if not then no, quite simple really.
Good article!
How do you understand “attack vector”?
At first, I took it in the way the boot sector of a floppy disc used to a very common attack vector, in that malicious manipulation of it could be used to achieve infection of the PC of anyone who happened to turn the machine on whilst that disc was in the drive, or as USB flash memory sticks (with autorun.inf) have been in more recent times.
So, I was thinking that slotting in a poisoned battery pack could get your Mac infected with a rootkit or some other choice malware. However, I'm not sure that was being claimed. The bad battery would need to exploit some sort of buffer-overrun error, in the Mac's battery-handling code, as I doubt the Mac is designed to execute code found in its batteries. (This sort of infection strategy might just be effective for an attack on a large corporation, but I don't think many home users exchange batteries often enough for there to be a general outbreak.)
I didn't "understand" the term attack vector in this context – which is why I pilloried the that headline 🙂
As far as getting control at boot time (or later), the firmware of most attached periperhals would not be a convenient place for that. (The boot sector worked so well because it it was the very first thing which ran, by design. And autorun.inf because it did exactly what it said.)
But you can imagine the sort of bad stuff dodgy firmware could do beyond "bricking" the peripheral. A random selection of network packets redirected to a monitoring station, perhaps, or WiFi keys leaked…
Firmware is just another "domain" of attack in systems. Gaining secure control of all modifiable areas of a network, pc, or any computer device is paramount. Putting these entites under the scope of the network, will always only be as secure as the data that interacts with the code, and those who maintain the protocols in which these areas can be interfaced.
The key to this problem is to monitor firmware code (via a 3rd party app) for a signature and alert the end user, as a virus attack.
Chris L. Fleshner
Patent Perspectives, Inc.
There was a blackhat demo a couple years back where the gent running the demo gained control of the GPU and ran all his exploits from there, he walked all over the PCI bus, across the motherboard chipsets, etc., it was very eye opening.