Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Apple Battery Firmware Default Password SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Apple Battery Firmware Default Password

Yesterday, I wrote about all the great things Apple did to improve security in its new operating system. Today however, we got a new, and quite different, vulnerability. It turns out that the firmware in Apple's laptop batteries is secured with a default passwords. An attacker would be able to use this password to change the battery firmware or settings, permanently ruining the battery. So its more of a denial of service attack. Persistent malware should be possible but it is not clear how much access it would have to the system.

It is always amazing what devices have firmware which may be manipulated by an attacker. I remember a while back a firmware update for the display port to VGA addapter. If there is a firmware update, there is always a change for a malicious firmware install. Recently, we talked about thunderbolt, Intel's new interface standard that provides direct bus access similar to Firewire. Thunderbolt cables are fare removed from "pairs of copper" we are used to. Instead, each thunderbolt cable has active circuits, and you guessed it, firmware embedded in the connector.

A malicious thunderbolt cable could potentially have direct access to system memory and disk.

http://blogs.forbes.com/andygreenberg/2011/07/22/apple-laptops-vulnerable-to-hack-that-kills-or-corrupts-batteries/

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

I will be teaching next: Defending Web Applications Security Essentials - SANS San Francisco Spring 2020

Johannes

3695 Posts
ISC Handler
Considering these are Lithium Ion batteries, and the issue is a firmware compromise leading to full access to the microcontroller..... the possibility of ruining the battery by rendering it unable to do anything is one thing.

I'm a lot more concerned about the possibility an attacker could intentionally make logic changes to cause a thermal overrun of the battery during charging, resulting in possible explosion of the battery or laptop fire.

We have a case where a firmware vulnerability discovered could actually be a safety issue, if exploited.

Since the microcontroller is responsible for controlling charging and discharging of the battery, and one of the reasons these batteries have firmware in the first place -- lithium ions are volatile, and require the microcontroller to actually monitor the charging and discharging cycles of the cells in order to keep the cells stable, and avoid catastrophic eruption of the battery.
Mysid

146 Posts
You need to be root to access the batter FW. Look after your root access and you will be ok. You should be able to blow your own battery up , after all you paid for it !
Mysid
13 Posts

Sign Up for Free or Log In to start participating in the conversation!