Now that Apple has endowed the Mac operating system with state-of-the-art security protections, a researcher has devised new attacks that target the machine's battery. Charlie Miller, well known for his numerous attacks on iPhones and Macs, may not have achieved his ultimate objective of making a Mac spontaneously combust, but …
That is all.
Not that big of a deal.
Change your battery. Not that big of a deal.
Sent from my iPhone
P.S. Oh wait... you can't. Change your lappie. Not that big of a deal... Now why is my iPhone getting so ho.............
I can change my battery...
... but it was last non-unibody macbook pro so meh! :)
Can you imagine it? a virus that fulfils the Hollywood dream of permanently shutting down computers! Yes i know this exploit is a long way from that.. but imagine! (Would need to play some kind of countdown/evil face laughing first or the likes)
Soon they will have firmware too and a GPS and GSM all built into a tiny spec within the battery and many TB of flash so when you put a battery in your camera it will also take a copy and store it along with GPS and possibly send by WIFI
given how good apple are....
....at security this is one hell of a school boy error.
That's because Apple aren't good at security
Most of the security they do have comes from the open source that Mac OS X is based on (BSD and friends).
If ever there's an exploit out there in the wild that takes advantage of Apple software (Safari, iTunes, etc...) it can anything up to a month for a patch to come though Software Update. Same for the open source programs that run under the hood like the scripting languages, CUPS, or Samba (which it seems they've stopped updating, the version running is so antiquated it's a joke).
They either stick the security update in the next version of Apple software which has a tiny change in functionality to justify the update or push out a security roll up which addresses a number of issues that have been piling up over the previous weeks/months.
They've made this mistake before with hardcoded root passwords in the iPad and iPhone. Guess what, they've gone and done it again here.
They still haven't got rid of the 'automatically open safe files' option in Safari which happily runs installer scripts which has been used to download malware.
I honestly prefer Microsoft's way of doing things when it comes to security updates. Perhaps not Microsoft's security in itself. Mac OS X started with better base but it seems to have made them lazy.
I'm not so sure about Microsofts batteries, though.
Security through obscurity
in other words.
Minor correction: Apple have never hard coded the root password for iOS devices; certain jail break tools used to do that, creating a security flaw for users of those tools only.
I otherwise agree with you mostly, Apple's attitude seemingly being that security updates aren't very urgent.
One thing I'm unsure of from the article: how do you perform the attack? Do you need physical access and/or root permissions? Anything of that nature that comes through Software Update requires an administrator password - does this flaw get around that somehow?
Err... The batteries in systems running MS' software are controlled by the hardware manufacturers, it's their firmware updates that protect their hardware, nothing to do with MS.
The original iPhones and iPod (not iPad, that was my mistake) had a hardcoded root password.
Then people put all sorts of goodies like SSH on their jailbroken devices, which made it possible to get in using the same passwords.
I stand corrected, but in my defence I was thinking of a careless security mistake in a piece of software that was actually exploited. As the article you link to says "Having the passwords will not do anybody any good for the moment [...] nobody even seems certain that the accounts access the machine at all". However it was my mistake to conflate the two things and to claim that you were wrong.
As to the rest of my original post, I'm still uncertain as to how one would put damaging software onto an Apple battery. I don't deny that there's a potential security problem here (though if the battery firmware could be altered only by a piece of software already running as root on the machine then I might, since then logically the number of attack vectors isn't increased, just the number of attacks) but I'm curious what a prudent person should do in response.
Any number of things.
It really depends how much control the embedded chip has.
If your just restricting yourself to the battery, you could get it to overcharge the cells, which can result in damage, overheating, melting of the battery compartment, release of Hydrogen which is potentially explosive, potentially damaging the laptop itself.
on a software level, The chip obviously does have a communication method to the main CPU (presumibly to allow the CPU to read battery level and update the firmware in the first place) , and as with any method of communication, how much software damage it depends on the security and checking inherent in this communction, and how the program on the other end responds to attempts to cause buffer overflows, bad parameter passing, malformed messages, et al.
Microsoft don't make batteries.
I think that was the point. Irony bypass?
Oh and I haven't got a retarded, whatever one of those might be.
Haven't got one?
Fear not, for I am he!
Good to know!
That must be the reason why the Sony cells in my Toshiba blew up, imagine they were from Microsoft.
I didn't know that.
... may not be an impossible result, if the chip controls (to a certain extent) the charging and battery safety circuitry, and can be hacked so voltage or current detection thresholds are skewed appropriately.
For example (and very simplistically), your typical, properly-maintained, not-worn-out lithium-ion battery cell is charged to around 4.2 volts. Once the 4.2 volt threshold is reached, charging current will begin to drop. When the charging current drops to about 3% of the nominal charging current, the charger will usually exit its continuous-charge mode, and will either wait until cell voltage drops to a certain level before starting a new charge cycle, or will trickle-charge the cell intermittently using a timer.
If the chip being discussed controls charging cycles and safety, and its detection thresholds can be overridden so that it (hypothetically) reads the 4.2 volt full-charge threshold as 3.9 volts, and tells the charger to keep pushing a 100% nominal charge current into the battery even though it is already fully charged, the battery **could** conceivably overheat, rupture, and catch fire from the abuse.
Not something I'd like to encounter, if I have a habit of actually using my laptop on my lap, such as on the train while I'm commuting to/from work...
If, maybe, perhaps if, then if
Wake me up when any of them are true.
You were saying?
Those were as a result of a bad batch of batteries, or third party batteries, but they prove just how volatile the things can be. Lithium Cobalt were shockers for this. Lithium-Polymer(-hybrid) are also very volatile.
This is why they have fancy charge controllers that continually monitor the heat, current flow and individual cell voltage, trying to balance the cells' voltage and ensure current demands stay within safe limits.
Should someone screw with this, the results could be disastrous.
re: Spontaneous combustion
I agree with all your points, except that a typical smart battery has two controllers, one to control the charge safely and the other is the 'fuel guage' which amongst other things drives the row of LEDs on the outside of the battery. Neither of these has direct control over the current in or out; the laptop's PSU handles that which communicates with these controllers over an I2C link. But either can simply disconnect the cells entirely by switching off FETs in series with the battery terminals if they detect something is awry.
Both controllers would probably need to be doctored to actually get the battery to go up and then it could only happen whilst on charge.
As a last line of defence there are usually a couple of thermal fuses in series too which one would hope would go open circuit before any actual explosion.
Philip of Macedonia sent Sparta a message, "You are advised to submit without further delay, for if I bring my army into your land, I will destroy your farms, slay your people, and raze your city."
They replied "If".
Does not compute
Apple computers dont get viruses or spam... most apple users swear so
that's because nobody uses Apple Computers and thus it makes no sense to write malware for a small niche market, better attack something more users use, like Android tablets.
Am I *that* behind the times?? When did batteries start coming with controllers, firmware, and updates..??
"When did batteries start coming with controllers/firmware/updates..??"
About the time device manufactures started moving from Nickel Cadmium [NiCd] and (early) Nickel Metal Hydride [NiMH] to Lithium Ion and Lithium Polymer...
Lithium-based batteries have a significantly higher energy density per unit mass than the Nickel-based batteries, but they are also constructed from chemicals that are much more volatile, and so require active safety measures (such as charge control and safety circuits) to prevent criticality excursions...
My money is on when Steve decided...
...to borrow a page from the printer manufacturer's book, and use a chip to block third party products.
In the name of protecting the customer from dodgy products of course.
They have been doing it for some time. But to tax 3rd party products. You need to buy a chip from Apple to make your iPhone/Pod add on work.
I'm just going out...
...On a criticality excursion.
I may be some time.
State of the art
I thought that opening line read "state of the art security problems", which seemed plausibly Reg style so I didn't immediately pick up on it. Got a chuckle out of it nonetheless.
A while ago
This puts me in mind of a nasty version of Dark Alex's Pandoras battery for Sonys PSP which targeted the Battery's firmware and turned the battery into a very nice modding tool.
very clever hack!
That's a very clever hack. Perhaps it just shows that we are overly computerized now. A battery with firmware that's remotely upgradable?
Questions questions questions!
If zapware were to get on to a laptop, would Apple honour a warranty? And if the battery could be set to become dangerous, with whom would the liability rest?
If battery fires are a real possibility Apple would need to sort that out sooner rather than later. Millions of laptop batteries going up in smoke would almost certainly lead to expensive court cases at the very least, with deaths at the other end of the scale of possibilities. Sounds like they ought to be able to push out a fix as a software update. Also airlines would certainly be well advised to consider whether Mac laptop batteries were safe enough to be allowed on flights.
But hang on a mo - has anyone checked to see if this is a feature of laptop batteries in general? I don't suppose PC laptop batteries are so very different.
Guess what, you can brick a PC by using some Windows BIOS flash software.
I'm sure there's some software that could do the same for SATA drive firmware.
Neither Windows nor SATA drives
are explosive. Lithium batteries can be if you screw with their controllers.
iCriticism deflection strategy number 2..
Everybody else has the same problem.. Even if they don't really.
There was a SATA firmware that could disable your computer... Seagate made it for their earlier 1TB drives (and all others in that series). Version SN04 if I'm not mistaken (I've got one sitting in front of me...).
Windows or Linuw never branded themselves State of the art in security nor World most Advanced, and didn't called their tech support Geniuses.
They have their weaknesses, but at least they are more honests when it comes to talk about what they do.
Yes you can kill a PC by flashing the BIOS with a corrupt version, yes you can do the same with a SATA drive but both are recoverable from if you have the right knowledge. That is the same as them containing persistent malware that has the potential to give control over that computer regardless of how many times you re-install the OS or maybe even overide safety protocols to make the battery explode how exactly?
The next question is will Apple be providing a firmware flash tool for the battery so that if somehow you do get a tainted battery you can fix it with a clean version of the firmware or will they rely on the goodwill of a 3rd party and stick with his password change fix to hopefully prevent infection in the first place? They could always take the default Apple position of sticking their fingers in their ears shouting lalalalalalalalala there is no problem, Apple are perfect and any problems you may encounter are entirely your own fault as it couldn't possibly be us.
Some PC motherboards have BIOS bricking protection...
If my BIOS gets corrupted a "backup BIOS" reflashes the main one with a factory copy.
@AC 23.7 11:52 / Rootkit
"How exactly is that the same as them containing persistent malware that has the potential to give control over that computer regardless of how many times you re-install the OS or maybe even overide safety protocols to make the battery explode?"*
They have been putting "persistent malware" on hard drives and flash BIOS chips for years. It's called rootkits.
*paraphrased slightly for legibility
Surely a blackhat wouldn't a) tell everyone that the flaw exsisted. b) release a tool to fix it.
Black Hat, not blackhat
They didn't say he *is* a blackhat, just that he's going to release details at the Black Hat conference.
If nobody released details there, there wouldn't be a conference at all.
Miller is ex-NSA and very much a white hat - unless you're Apple I suppose.
World gone mad
If the batteries have firmware and a password, I think we have gone past the point of no return. If you /must/ have a brain in a battery, why isn't it mask programmed? Just how smart does a battery need to be?
It seems like madness to me.
@Hardcastle The Ancient: Costs, I expect
"If you /must/ have a brain in a battery, why isn't it mask programmed? Just how smart does a battery need to be?"
Saves having to spend money on doing a mask for every single different battery design, much cheaper. Of course, 'cheaper' is a word that has both short and long term considerations. Business doesn't do long term very well, and a pricey round of court cases can turn previous short term profit gains into an expensive option.
Authenticated challenge-response would have raised the bar
Some batteries in some products do have it.
It is absolutely outrageous and unacceptable that there isn't some way to push a button on a battery and totally reset the software, so that a user can quickly and easily fix such a thing without having to spend money to take it in to be fixed.
Of course, the idea of a battery having a little computer inside it is rather strange as well.
We've already seen, though, that many Macintosh models don't have an eject hole for their CD drives, so this kind of deficiency has been encountered before. A Mac may be much less subject to viruses than a PC, but the system's inflexibility sometimes deprives the user of recovery options.
- Hi-torque tank engines: EXTREME car hacking with The Register
- Review What's MISSING on Amazon Fire Phone... and why it WON'T set the world alight
- Product round-up Trousers down for six of the best affordable Androids
- Antique Code Show World of Warcraft then and now: From Orcs and Humans to Warlords of Draenor
- Why did it take antivirus giants YEARS to drill into super-scary Regin? Symantec responds...