A seasoned security hacker who spent seven months figuring out how to hack a laptop battery disclosed his findings today at the Black Hat security conference. Charlie Miller, who specializes in hacking Apple software, figured out how to remotely control a battery and do some damage to it such as “bricking it” – or incapacitating it – from afar.
Miller, a security consultant at Accuvant, said he tried to make a MacBook “smart battery” explode, since the project was all in fun and videos of exploding batteries are big draws on YouTube. But he hasn’t been able to make that happen yet. Had he done so, he could have had one of the most popular talks at Black Hat and caused considerable alarm among a variety of vendors and consumers. It’s also another lesson that shows that if you put the intelligence of computing into an otherwise dumb device, that new smart device will be subject to hacking, as has been proven over and over again.
“I set out to see if I could hack the firmware of a battery,” he said. “I couldn’t make it explode. I took over the battery. It was fun, and I did cool stuff.”
Miller had to go through a long process to figure out which chips were used in the battery — some controllers and circuit protection chips from Texas Instruments. He conducted experiments to find out how the chips operated, how they communicated between the operating system and the battery’s charger, and then compared them to online manuals and other published data. He found that Apple had left a default password unchanged that gave him entry into a chip so that he could manipulate the settings for the chip. (Apple can try to fix this problem in the future, but Miller figures it wouldn’t be hard to crack the 32-bit password). Apple has not yet responded to a request for comment.
Smart batteries such as those used in Apple’s MacBooks can be used to charge a battery more efficiently and report back to the operating system (and the user) the exact percentage charge remaining on the battery. The computer can thus talk to the firmware running on the chips within the battery. That firmware controls the charging process and safety parameters for the battery, which govern when to shut off charging to prevent overheating. Current, voltage and temperature can be calibrated.
Miller found it easy to change the settings on the batteries so that they were no longer recognized by the computer. This essentially “bricked” the batteries. He accidentally bricked his own machine a number of times. Once, he took a fried motherboard into an Apple store and they asked him what happened.
“I don’t know,” he told them, getting some laughs from the Black Hat crowd. “They should have a picture of me on the wall.”
Once he figured out how to break into the firmware, Miller then figured out how to change the settings of the battery and showed the code that proved that he did so. He is sharing his slides as well as atool that allows people to change the default passwords on their batteries. But that will only work so long as Apple makes no changes.
The dangers of hacking a battery remain theoretical so far. Coupled with a browser exploit, a malevolent hacker could send a virus or some other malware to a target. That virus could then deliver a payload such as sending commands to the battery to make it inoperable. That’s not as dangerous to a computer as wiping its hard disk, Miller said. But if someone could actually make a battery catch on fire from afar, that would be very dangerous.
Miller has no plans to undertake such hacking projects. But he continues with his battery research.