Apple Battery Hack
July 26, 2011 9:14 AM Subscribe
How a Security Researcher Discovered the Apple Battery ‘Hack’ - How to destroy Hardware with Software.
AppleTechnica had a better write up yesterday.
Miller also told Ars that the battery firmware hack could be used to create a sort of "permanent" malware infection. Such malware, or a least a portion of it, could be installed in the microcontroller's flash memory. Even if an infected computer's drive were replaced and the operating system re-installed, it's possible that an exploit could allow the malware to be reloaded from a laptop's Smart Battery System firmware.posted by Pogo_Fuzzybutt at 9:30 AM on July 26, 2011
It sounds like one of those "It rather involved being on the other side of this airtight hatchway" issues ...
This isn't the same thing as accomplishing some sort of privilege use that is already permitted. I expect (perhaps unreasonably) that having root access should not allow me to be able to physically damage computer hardware. This is a proof of concept that that expectation is not accurate, at least in the case of this device.
posted by grouse at 9:34 AM on July 26, 2011 [3 favorites]
This isn't the same thing as accomplishing some sort of privilege use that is already permitted. I expect (perhaps unreasonably) that having root access should not allow me to be able to physically damage computer hardware. This is a proof of concept that that expectation is not accurate, at least in the case of this device.
posted by grouse at 9:34 AM on July 26, 2011 [3 favorites]
Yah, but those "non-volatile memory permanent virus" scare words have been around for several years. Haven't seen a payload of it .. yet ...
posted by k5.user at 9:34 AM on July 26, 2011
posted by k5.user at 9:34 AM on July 26, 2011
The "permanent malware infection" aspect is awfully ambitious. There's no shared data bus with normal components, so basically the only thing that malware could do without having some other malware /also/ installed is still limited to mucking with the charge rate.
The "mucking with the charge rate" aspect is fairly uninteresting, because you can also do a fairly significant amount of that from the system side without re-writing the battery's microcontroller's firmware.
In short: I'm tired of "security researcher" meaning "somebody who learned something about his computer". When my father discovered Alt+Tab, it was not security research.
posted by atbash at 9:35 AM on July 26, 2011 [3 favorites]
The "mucking with the charge rate" aspect is fairly uninteresting, because you can also do a fairly significant amount of that from the system side without re-writing the battery's microcontroller's firmware.
In short: I'm tired of "security researcher" meaning "somebody who learned something about his computer". When my father discovered Alt+Tab, it was not security research.
posted by atbash at 9:35 AM on July 26, 2011 [3 favorites]
you can't write anything to the battery unless you are root
I think part of the point is that all Apple batteries are protected using a default password. Once you know it, you can access it.
I think this guy is trying to half-heartedly create a panic, and it's half-heartedly working.
posted by jabberjaw at 9:36 AM on July 26, 2011 [1 favorite]
I think part of the point is that all Apple batteries are protected using a default password. Once you know it, you can access it.
I think this guy is trying to half-heartedly create a panic, and it's half-heartedly working.
posted by jabberjaw at 9:36 AM on July 26, 2011 [1 favorite]
a sort of "permanent" malware infection
So it's like Bonjour, then?
Zing!
posted by Sys Rq at 9:36 AM on July 26, 2011 [9 favorites]
So it's like Bonjour, then?
Zing!
posted by Sys Rq at 9:36 AM on July 26, 2011 [9 favorites]
The "mucking with the charge rate" aspect is fairly uninteresting, because you can also do a fairly significant amount of that from the system side without re-writing the battery's microcontroller's firmware.
Well, in that case it is an "airtight hatchway" issue, assuming that bricking the battery from software has been previously demonstrated.
posted by grouse at 9:38 AM on July 26, 2011
Well, in that case it is an "airtight hatchway" issue, assuming that bricking the battery from software has been previously demonstrated.
posted by grouse at 9:38 AM on July 26, 2011
If you have root access, you can do all sorts of crappy things to the hardware. Write raw garbage to the disk all you want, clobber mem-map IO, futz with the ROM/firmware and brick your device. (Can you modify/overclock the CPU/mobo voltages on a mac like you can on windows ? )
jabberjaw - that's what's not clear to me .. You shouldn't be able to get to the password prompt with out being root -- users shouldn't have access to whatever method it is that gets you to the password prompt. (At least, they can't on the system I've worked with, linux based battery config is exported via sysfs, and only root has write permissions )
posted by k5.user at 9:42 AM on July 26, 2011
jabberjaw - that's what's not clear to me .. You shouldn't be able to get to the password prompt with out being root -- users shouldn't have access to whatever method it is that gets you to the password prompt. (At least, they can't on the system I've worked with, linux based battery config is exported via sysfs, and only root has write permissions )
posted by k5.user at 9:42 AM on July 26, 2011
I think part of the point is that all Apple batteries are protected using a default password. Once you know it, you can access it.
You can't talk to the bus it's on unless you're root. So once you're root and you know the default password for the write-firmware sequence, then you can write a new firmware to it.
If they fix the bug, i.e. use a password that's not public, then all you need is an oscilloscope and the password is remarkably public again.
posted by atbash at 9:43 AM on July 26, 2011 [2 favorites]
You can't talk to the bus it's on unless you're root. So once you're root and you know the default password for the write-firmware sequence, then you can write a new firmware to it.
If they fix the bug, i.e. use a password that's not public, then all you need is an oscilloscope and the password is remarkably public again.
posted by atbash at 9:43 AM on July 26, 2011 [2 favorites]
Based on his past exploit finding history, Charlie Miller is certainly able to get root access on a Mac, if he wishes too.
posted by smackfu at 9:44 AM on July 26, 2011 [1 favorite]
posted by smackfu at 9:44 AM on July 26, 2011 [1 favorite]
In short: I'm tired of "security researcher" meaning "somebody who learned something about his computer". When my father discovered Alt+Tab, it was not security research.
Just like how anyone who runs a script successfully is now a big bad hacker in the media.
posted by Theta States at 9:45 AM on July 26, 2011 [2 favorites]
Just like how anyone who runs a script successfully is now a big bad hacker in the media.
posted by Theta States at 9:45 AM on July 26, 2011 [2 favorites]
Interesting.
In a parallel piece of research I've discovered a hack to destroy my iphone battery.
Charge it up, switch on the phone and then wait 24 hours until the thing has no juice whatsoever. Amazing.
posted by MuffinMan at 9:54 AM on July 26, 2011
In a parallel piece of research I've discovered a hack to destroy my iphone battery.
Charge it up, switch on the phone and then wait 24 hours until the thing has no juice whatsoever. Amazing.
posted by MuffinMan at 9:54 AM on July 26, 2011
“Lithium-ion batteries are potentially dangerous, and it’s possible that futzing with the parameters could cause the battery to fail at best, or explode at worst,” Miller said. “I know there are internal fuses and other safeguards to prevent that from happening, and I never did it myself, but there’s certainly potential to get some malware to rewrite the smart battery firmware and cause some catastrophic failure.”
This is actually pretty meh. All he actually did, in practice, was fry the batteries, no matter what he says he can do.
posted by misha at 9:59 AM on July 26, 2011
This is actually pretty meh. All he actually did, in practice, was fry the batteries, no matter what he says he can do.
posted by misha at 9:59 AM on July 26, 2011
Since when do we expect the firmware on a goddamn battery to be secure? I'm actually more bothered by the strange obfuscatory crap Apple has embedded into their charging technology than I am by the fact that some random guy has learned just enough embedded software development skill to poke around at a microcontroller.
posted by Mars Saxman at 10:03 AM on July 26, 2011 [2 favorites]
posted by Mars Saxman at 10:03 AM on July 26, 2011 [2 favorites]
What is worse is that Apple themselves incites its users to hack their own batteries by issuing occasional firmware updates!
I am going to assume the battery engineers don't want to spray molten metal all over their users and they are going to put in safety circuits that can't be touched by firmware updates. 'Splosion or it didn't happen.
posted by RobotVoodooPower at 10:10 AM on July 26, 2011
I am going to assume the battery engineers don't want to spray molten metal all over their users and they are going to put in safety circuits that can't be touched by firmware updates. 'Splosion or it didn't happen.
posted by RobotVoodooPower at 10:10 AM on July 26, 2011
I'm tired of "security researcher" meaning "somebody who learned something about his computer".
Sure, but this guy actually knows security, having won the Pwn2Own contest twice, and has discovered dozens of exploits in Linux and Apple's OSes over the years.
posted by zsazsa at 10:13 AM on July 26, 2011 [8 favorites]
Sure, but this guy actually knows security, having won the Pwn2Own contest twice, and has discovered dozens of exploits in Linux and Apple's OSes over the years.
posted by zsazsa at 10:13 AM on July 26, 2011 [8 favorites]
Not sure what about this is new... the smart battery stuff has been around for quite some time, default passwords and all. Almost all of 'em- not just Apple- are easy to communicate with, most commonly when you're replacing cells, rebuilding batteries and so forth. See-
Battery EEPROM Works
smart battery resetter
smart battery data viewer/writer
And yes, there's hardwired protection in the form of thermal fuses which open if the internal temp gets too high- this doesn't (can't) protect fully against cell faults, but intentional muckery with charging rates etc. should be well taken care of.
posted by drhydro at 10:22 AM on July 26, 2011
Battery EEPROM Works
smart battery resetter
smart battery data viewer/writer
And yes, there's hardwired protection in the form of thermal fuses which open if the internal temp gets too high- this doesn't (can't) protect fully against cell faults, but intentional muckery with charging rates etc. should be well taken care of.
posted by drhydro at 10:22 AM on July 26, 2011
In my experience, Mac laptop batteries routinely brick themselves. If, of course, the whole power and charging system is even functioning (which let's be honest, it isn't). Is the threat here that someone might fry your battery slightly faster than it will fry itself, or...?
posted by rusty at 10:29 AM on July 26, 2011
posted by rusty at 10:29 AM on July 26, 2011
OMG public component specifications are public OMGWTF battery BBQ
posted by flabdablet at 10:32 AM on July 26, 2011
posted by flabdablet at 10:32 AM on July 26, 2011
as usual, need to see the details, but I'm semi-dubious about this.
Yes, as usual, you need to actually read the article before casting doubt. It's amazing how well that works.
posted by Malor at 10:33 AM on July 26, 2011 [3 favorites]
Yes, as usual, you need to actually read the article before casting doubt. It's amazing how well that works.
posted by Malor at 10:33 AM on July 26, 2011 [3 favorites]
The really interesting parts of the proposed malware, if any, will be the social engineering required to persuade the naive user (i.e. 90% of the userbase) to supply the malware with root access. There's some quite good work being done in this direction on the Windows side of the tracks. Here's a prick of a thing I recently found causing trouble on a digital native's netbook.
posted by flabdablet at 10:37 AM on July 26, 2011 [1 favorite]
posted by flabdablet at 10:37 AM on July 26, 2011 [1 favorite]
In my experience, Mac laptop batteries routinely brick themselves
I worked in IT for ten years, fixing thousands of Macs and PCs over that time period. Never had a battery brick itself, whether it was in an Apple, Dell, IBM, HP or whatever. I had to replace batteries that wouldn't hold a charge, but that happens to all batteries.
posted by Blazecock Pileon at 10:37 AM on July 26, 2011
I worked in IT for ten years, fixing thousands of Macs and PCs over that time period. Never had a battery brick itself, whether it was in an Apple, Dell, IBM, HP or whatever. I had to replace batteries that wouldn't hold a charge, but that happens to all batteries.
posted by Blazecock Pileon at 10:37 AM on July 26, 2011
Happened to my Visa card as well. They just don't make these bloody things like they used to.
posted by flabdablet at 10:40 AM on July 26, 2011
posted by flabdablet at 10:40 AM on July 26, 2011
I worked in IT for ten years, fixing thousands of Macs and PCs over that time period. Never had a battery brick itself, whether it was in an Apple, Dell, IBM, HP or whatever.
Never had a battery brick itself per se, but some Macs (e.g., early unibody MacBooks running Snow Leopard) appear to have a software (firmware?) issue that drains the battery at twice the usual rate.
posted by ChurchHatesTucker at 10:51 AM on July 26, 2011
Never had a battery brick itself per se, but some Macs (e.g., early unibody MacBooks running Snow Leopard) appear to have a software (firmware?) issue that drains the battery at twice the usual rate.
posted by ChurchHatesTucker at 10:51 AM on July 26, 2011
Any time I read anything about Mac Hacking, it's this guy Charlie Miller. I hope Microsoft are paying him well.
posted by iotic at 10:53 AM on July 26, 2011 [1 favorite]
posted by iotic at 10:53 AM on July 26, 2011 [1 favorite]
One aspect of this is that one could swap out a good battery on someone else's machine for a hacked one. It is much more subtle, convenient, and less immediate than the other options for sabotaging someone's hardware.
posted by idiopath at 10:55 AM on July 26, 2011 [1 favorite]
posted by idiopath at 10:55 AM on July 26, 2011 [1 favorite]
If you are root on the system, wtf does it matter that you can futz with the battery.
arg!...now i cant find the article...dammit...ah, well i read about this um, somewhere else, recently...apparently the hack is through the battery itself...you don't need to be root on the system...i think it was something like one of those old 'reset with a paper clip' holes...some kind of access port for battery diagnostic equipment...probably at the refurb plant...
posted by sexyrobot at 11:09 AM on July 26, 2011
arg!...now i cant find the article...dammit...ah, well i read about this um, somewhere else, recently...apparently the hack is through the battery itself...you don't need to be root on the system...i think it was something like one of those old 'reset with a paper clip' holes...some kind of access port for battery diagnostic equipment...probably at the refurb plant...
posted by sexyrobot at 11:09 AM on July 26, 2011
This is completely unfounded. There's no mechanism for firmware sitting on the chip to do anything with the OS, even if it did contain "evil" firmware.
Some of you keep saying that. I do not think 'no mechanism' means what you think it means.
The main OS has to read from the battery. If there's a bug in that code, which is far from impossible, the battery could inject an exploit to overrun a buffer, just like reading an evil website can exploit your browser.
posted by Malor at 11:10 AM on July 26, 2011 [2 favorites]
Some of you keep saying that. I do not think 'no mechanism' means what you think it means.
The main OS has to read from the battery. If there's a bug in that code, which is far from impossible, the battery could inject an exploit to overrun a buffer, just like reading an evil website can exploit your browser.
posted by Malor at 11:10 AM on July 26, 2011 [2 favorites]
The main OS has to read from the battery. If there's a bug in that code, which is far from impossible, the battery could inject an exploit to overrun a buffer, just like reading an evil website can exploit your browser.
This is technically true, but the interface between the two is, uh, "minimally expressive". The danger there is fairly small.
posted by atbash at 11:34 AM on July 26, 2011 [1 favorite]
This is technically true, but the interface between the two is, uh, "minimally expressive". The danger there is fairly small.
posted by atbash at 11:34 AM on July 26, 2011 [1 favorite]
ChurchHatesTucker: "Never had a battery brick itself per se, but some Macs (e.g., early unibody MacBooks running Snow Leopard) appear to have a software (firmware?) issue that drains the battery at twice the usual rate."
Okay, I have a unibody Macbook running Snow Leopard. How can I tell if it is draining at "twice the usual rate"?
posted by misha at 12:10 PM on July 26, 2011
Okay, I have a unibody Macbook running Snow Leopard. How can I tell if it is draining at "twice the usual rate"?
posted by misha at 12:10 PM on July 26, 2011
Okay, I have a unibody Macbook running Snow Leopard. How can I tell if it is draining at "twice the usual rate"?
If it's a young battery, you should get 3+ hours out of a full charge, depending upon what you're doing. If you get more like 1.5 for web surfing, you've got an issue. There's some Mac Voodoo that is supposed to help, but I haven't got any of it to work myself.
posted by ChurchHatesTucker at 12:28 PM on July 26, 2011
If it's a young battery, you should get 3+ hours out of a full charge, depending upon what you're doing. If you get more like 1.5 for web surfing, you've got an issue. There's some Mac Voodoo that is supposed to help, but I haven't got any of it to work myself.
posted by ChurchHatesTucker at 12:28 PM on July 26, 2011
If you get more like 1.5 for web surfing, you've got an issue.
System preferences -> Energy saver -> Better battery life & reboot. The only time I've ever seen that is when somebody switched it to "better performance", I.E. "Fire up the big GPU and full speed ahead". Unlike later models, the firstgen Unibodies can't switch them automatically.
Couldn't hurt you to also install a flash blocker.
posted by mhoye at 1:04 PM on July 26, 2011
System preferences -> Energy saver -> Better battery life & reboot. The only time I've ever seen that is when somebody switched it to "better performance", I.E. "Fire up the big GPU and full speed ahead". Unlike later models, the firstgen Unibodies can't switch them automatically.
Couldn't hurt you to also install a flash blocker.
posted by mhoye at 1:04 PM on July 26, 2011
If the battery is being drained at twice the rate, that's not a battery issue. That's some process burning too much CPU. Occasionally you'll find a daemon is stuck in some state where it's keeping one core at 100%. Easily seen and rectified with Performance Monitor.
posted by w0mbat at 1:22 PM on July 26, 2011
posted by w0mbat at 1:22 PM on July 26, 2011
If the battery is being drained at twice the rate, that's not a battery issue. That's some process burning too much CPU. Occasionally you'll find a daemon is stuck in some state where it's keeping one core at 100%. Easily seen and rectified with Performance Monitor.
You'd think, but no. There's something weird about Snow Leopard.
posted by ChurchHatesTucker at 1:26 PM on July 26, 2011
You'd think, but no. There's something weird about Snow Leopard.
posted by ChurchHatesTucker at 1:26 PM on July 26, 2011
Very few viruses are designed solely to grief the user. How does messing with batteries make the virus writer rich?
posted by ryanrs at 4:22 PM on July 26, 2011
posted by ryanrs at 4:22 PM on July 26, 2011
How to destroy hardware with software?
Apple can even do one better. Here's explained a computer hardware virus that involves no software at all:
Apple can even do one better. Here's explained a computer hardware virus that involves no software at all:
The problem I discovered was that one of the thin walls between the holes had broken and bent down, forming a ramp. When I plugged the DVI adapter into my computer, two of the pins went into the same hole, and the projector could no longer understand the output from my computer.posted by Anything at 4:57 PM on July 26, 2011 [4 favorites]
However, it doesn’t end there. When I plugged the DVI adapter into the broken socket, the ramp formed by the broken wall bent the corresponding pin upwards, forming a wedge with the adjacent pin. Then, when any other Mac user plugged the same adapter into their own computer, the pin wedge would press down on that same socket wall, breaking it and bending it down in the same fashion.
What I had discovered, in essence, was a mechanical virus. It infects Mac laptops and speads via the DVI adapters. An infected adapter will infect any computer that uses it, causing that computer to infect any adapters that it comes into contact with in the future, etc.
That would be more a prion than a virus, surely.
posted by flabdablet at 7:28 PM on July 26, 2011
posted by flabdablet at 7:28 PM on July 26, 2011
I had a PC I was working on in a repair shop, many years ago, that had an 'electronic' virus. Any keyboard that I plugged into that machine would immediately die. Any other machine that I subsequently plugged that keyboard into would immediately and permanently lose its keyboard port.
Because we had to pay for all this hardware, I stopped as soon as I realized what was going on, but I still ended up with three or four dead keyboards, and at least three busted motherboards. I don't know if it would do a 'second generation' infection, and finding out would have been too expensive.
posted by Malor at 11:11 PM on July 26, 2011 [1 favorite]
Because we had to pay for all this hardware, I stopped as soon as I realized what was going on, but I still ended up with three or four dead keyboards, and at least three busted motherboards. I don't know if it would do a 'second generation' infection, and finding out would have been too expensive.
posted by Malor at 11:11 PM on July 26, 2011 [1 favorite]
This is completely unfounded. There's no mechanism for firmware sitting on the chip to do anything with the OS, even if it did contain "evil" firmware.
All of you saying there is no way for malware in the battery firmware to infect the OS are wrong.
There is at least one way to do it:
ACPI loads AML bytecode from devices that supply it, including battery controllers. This bytecode goes to the operating system's ACPI system which hooks it all together so that it can manage power state changes in whatever way the various devices require. Obviously AML is designed for a limited range of functions, but it is arbitrary, turing complete code running in ring-0 (OS mode).
Anyway, that's how I would do it.
posted by atrazine at 5:35 AM on July 27, 2011 [1 favorite]
All of you saying there is no way for malware in the battery firmware to infect the OS are wrong.
There is at least one way to do it:
ACPI loads AML bytecode from devices that supply it, including battery controllers. This bytecode goes to the operating system's ACPI system which hooks it all together so that it can manage power state changes in whatever way the various devices require. Obviously AML is designed for a limited range of functions, but it is arbitrary, turing complete code running in ring-0 (OS mode).
Anyway, that's how I would do it.
posted by atrazine at 5:35 AM on July 27, 2011 [1 favorite]
Well bugger me. I knew Microsoft was heavily involved in the design of ACPI, but I had no idea they'd managed to inject the Word document macro anti-pattern into the bloody thing. I should clearly have been paying more attention.
Thanks for that, atrazine.
posted by flabdablet at 7:57 AM on July 27, 2011 [2 favorites]
Thanks for that, atrazine.
posted by flabdablet at 7:57 AM on July 27, 2011 [2 favorites]
Yeah, they even have proof-of-concept ACPI viruses. But at least so far, they're too tightly bound to a given motherboard to be terribly virulent. It's not a sufficiently abstract environment for viruses to thrive. If one IS written for a given board, it can quietly sit there, run the Ethernet connection without the OS having any knowledge of it at all, and then use DMA to inject downloaded code straight into the host operating system.
Having to write almost one custom virus per motherboard makes this pretty much a non-starter for anything but national level security, but it might be more feasible to attack Macs this way. There's a relatively limited range of hardware, which tends to be closely related across families, so I suspect the chance of an ACPI virus prospering would be a lot higher. Probably still not high in an absolute sense, but higher.
posted by Malor at 10:35 AM on July 27, 2011
Having to write almost one custom virus per motherboard makes this pretty much a non-starter for anything but national level security, but it might be more feasible to attack Macs this way. There's a relatively limited range of hardware, which tends to be closely related across families, so I suspect the chance of an ACPI virus prospering would be a lot higher. Probably still not high in an absolute sense, but higher.
posted by Malor at 10:35 AM on July 27, 2011
Ha, people always figure out some tortured way to blame Microsoft.
posted by smackfu at 10:45 AM on July 27, 2011
posted by smackfu at 10:45 AM on July 27, 2011
This is called Windows Vista. Physically fried two Alienware motherboards on me.
posted by cmoj at 11:08 AM on July 27, 2011
posted by cmoj at 11:08 AM on July 27, 2011
i can pour water on a mac and brick it, too. hold tight for my whitepaper.
posted by Señor Pantalones at 1:00 PM on July 27, 2011 [2 favorites]
posted by Señor Pantalones at 1:00 PM on July 27, 2011 [2 favorites]
i can pour water on a mac and brick it, too. hold tight for my whitepaper.
And the subsequent post on Metafilter! :)
posted by Blazecock Pileon at 4:14 PM on July 27, 2011
And the subsequent post on Metafilter! :)
posted by Blazecock Pileon at 4:14 PM on July 27, 2011
Ha, people always figure out some tortured way to blame Microsoft.
Oh, there's plenty of blame to go around. Now I've started reading up on this stuff, I'm not entirely surprised to find that the other guilty parties are HP (also responsible for the worst Windows printer drivers ever released and the laptop designed to suck the tablecloth up into its cooling intake), Toshiba (world's least repairable laptop chassis), Intel (world's ugliest CPU architecture) and Phoenix (world's suckiest BIOS). It all makes sense now.
posted by flabdablet at 7:15 PM on July 27, 2011 [1 favorite]
Oh, there's plenty of blame to go around. Now I've started reading up on this stuff, I'm not entirely surprised to find that the other guilty parties are HP (also responsible for the worst Windows printer drivers ever released and the laptop designed to suck the tablecloth up into its cooling intake), Toshiba (world's least repairable laptop chassis), Intel (world's ugliest CPU architecture) and Phoenix (world's suckiest BIOS). It all makes sense now.
posted by flabdablet at 7:15 PM on July 27, 2011 [1 favorite]
« Older Is this unidentified man Ray Gricar? | Headless Corpses, Stolen Laptops, and... Newer »
This thread has been archived and is closed to new comments
On a system I've work with, you can't write anything to the battery unless you are root (read access is granted to all). If you are root on the system, wtf does it matter that you can futz with the battery.
It sounds like one of those "It rather involved being on the other side of this airtight hatchway" issues ...
posted by k5.user at 9:24 AM on July 26, 2011 [5 favorites]