Updatable firmware could be the new target for hackers

Updatable firmware could be the new target for hackers

Summary: At the upccoming Black Hat conference, security researcher Charlie Miller plans to disclose a way to hack the battery microcontrollers on Apple notebooks and how this hack could be used to brick batteries, steal data or possibly even cause a fire or an explosion.

SHARE:
TOPICS: Security, Software
22

A few days ago security researcher Charlie Miller announced that he will disclose information at the next Black Hat conference about how he figured out a way to hack the battery microcontrollers on Apple notebooks and how this hack could be used to brick batteries, steal data or possibly even cause a fire or an explosion.

It's an interesting hack. Miller started with a battery firmware update released by Apple a few years ago. Buried within this update he found the password (which turned out to be the default password for the component as set by the manufacturer) and set of commands needed to put the battery microcontroller into 'full access mode.' This mode allowed low-level access to the controller and offered Miller the chance to make it do things it wasn't supposed to do, such as lie about the charge state of the battery. He also managed to brick batteries - seven in all, each costing $130.

So, other than bricking batteries (something that a mischievous hacker might be happy doing), what else can be done? Well, Miller thinks that this could be used to install malware onto a system in such a way that it would survive a total disk wipe and BIOS reflash - persistent malware that could only be eradicated through reflashing the affected component.

Now, the researcher (and most of the news pieces covering it) latched onto this being an 'Apple' issue, but in reality it's a problem affecting pretty much anything that has reflashable or updatable firmware. Paul Ducklin, head of technology at Sophos Asia Pacific, had this to say:

So, are Apple laptop batteries the new attack vector? Could a virus set your beloved Macbook on fire?

The answer to the first question is: no more so that any other hardware in your system with field-updatable firmware. That includes the motherboard itself, your wireless card, your 3G modem, network card, graphics device, storage devices and much more. Including, of course, the battery pack. And - as Apple fans reading this article will be happy to note - the risk is not unique to Apple, though Charlie Miller's paper is.

So this extends well beyond the Apple ecosystem (and even computers as a whole) and is something that affects everything with updatable firmware. If the bad guys can gain access to that firmware, then there's a possibility that rogue code could be installed. It's as simple as that.

But what about using this hack to make batteries explode? Could that happen? Well, yes ... but ...  batteries are pretty robustly built, and OEMs are keen to make sure that they don't explode (for the sake of liability) so the modern notebook battery is fitted with numerous safeguards to protect against the battery bursting in flames or exploding. While the safety features built into some batteries do fail (a little more often that I'd like so see, judging by the number of recalls I come across), on the whole notebook battery technology is pretty safe (I'm typing these words with a Dell sitting on my lap, behaving itself).

So, is there an issue here? Yes. Is it an Apple issue? No. Is it something that the tech industry needs to think about? Absolutely. Is this something that people should start panicking over? Absolutely not!

Side-note: Miller says he plans to release a tool called 'Caulkgun' that will prevent hackers from accessing the battery microcontroller by changing the password to a random string of digits. Personally I'd be wary of running this because it will prevent Apple updates relating to the battery controller from being installed.

Topics: Security, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

22 comments
Log in or register to join the discussion
  • If you ever needed another reason not to flash ..

    .. *any* BIOS, this surely just put a nail in the coffin for those riske enough (...or just plain suicidal enough) to do it. Excellent! if it wasn't enough that you could toast your mainboard through a personal death wish, now you don't have to .. just let an intercepted firmware upgrade do it for you! Oh, joy!<br><br>Now, i've flashed the BIOS for dsl modems, video cards and other non-essential computing equipment, but *would never*, even in the best / most ideal scenarios, advise anyone to fidget around with a computer system, BIOS - even with a legit firmware upgrade.
    thx-1138_
    • RE: Updatable firmware could be the new target for hackers

      @thx-1138_@... The thing is, I think a lot of driver updates include flashing the hardware in addition to updating the drivers :/.

      What really needs to happen is that the OS needs to clamp down on drivers. And hardware manufacturers need to make sure that updates are only done through drivers. Everything should be signed and encrypted. That way, the only people who can flash the firmware on any device is the manufacturers themselves.
      CobraA1
      • makes the companies involved the targets for black hats

        @CobraA1
        I'll be blunt, even if there's no customer data stolen from a corporate breach, stealing a copy of the internal encryption key could be the real target. With that key, false-flag signatures can be placed, and then, well... you can figure out what would happen with properly signed malicious updates.
        shryko
      • RE: Updatable firmware could be the new target for hackers

        @shryko

        -There are separate keys to create and verify digital signatures. The key used to verify the signatures will not allow anybody to create new signatures, and is the only key that should be stored on the firmware or in the drivers.

        -The key used to create digital signatures is very valuable, and is likely kept very secret and safe with the company that makes the firmware. Hopefully such an attack should be rare.

        -A good digital signature design should have a revocation mechanism in case the key is found, so that a new one can be created.
        CobraA1
      • @CobraA1 .. you raise some good points

        .. securing the driver ecosystem is a tough one though. For the layperson with little~no experience in BIOS firmware upgrades, it becomes, more so, a minefield.

        But the idea you allude to, of ensuring only the manufacturer has access to the BIOS has merit .. well, really is the only way to go.
        thx-1138_
      • RE: Updatable firmware could be the new target for hackers

        @CobraA1
        Problem with that is after sale to consumer. If only vendors were allowed to flash hardware then the RMA process would become a nightmare and every company would be overloaded just in customer return flashes.
        Nate_K
      • RE: Updatable firmware could be the new target for hackers

        "Problem with that is after sale to consumer. If only vendors were allowed to flash hardware then the RMA process would become a nightmare and every company would be overloaded just in customer return flashes."

        I'm not necessarily suggesting return the product to the vendor to get it flashed - it could be included in software updates from the vendor, which is often done via Windows Update or through software included with the machine.

        Indeed, my HP netbook came with software from HP that would automatically check for and install updates.

        "Problem being, it's not the bios in particular. It's other programmable rom in the hardware and this technique is not new."

        Agreed, this should be done across the board, not just for the BIOS.

        "This makes it very difficult to impossible to detect in some cases."

        Which is why it should be detected before it infects the machine, rather than afterwards. Which is why digital signatures are so important - they allow the OS to detect whether the new driver is legit or not. Only kernel level code should have access to the ability to flash a device - user level code should be forbidden access.

        In other words: The ability to flash the firmware of a device should be kernel/driver level, not user level. Windows (especially 64 bit Vista/7) is very good at making absolutely sure that drivers are signed. If firmware updates are only done via drivers, this problem would be far easier to prevent.
        CobraA1
      • RE: Updatable firmware could be the new target for hackers

        @CobraA1 The PSP was hackable by using the Pandora hack -- a <a href="http://vb.maas1.com/">m</a>odifica<a href="http://www.tran33m.com/vb/">t</a>ion of the battery to put the PSP into service mode that disabled all protections. There's nothing new here.
        alasiri
    • RE: Updatable firmware could be the new target for hackers

      @thx-1138_@... I wouldn't advise anyone with no experience to fidget around with the BIOS even with a legit firmware upgrade UNLESS absolutely necessary. If you are having an issue with the current BIOS, or a vulnerability is found in the BIOS and it becomes necessary, then by all means it becomes necessary.
      jtjenkins213
    • RE: Updatable firmware could be the new target for hackers

      @thx-1138_@... <br>Problem being, it's not the bios in particular. It's other programmable rom in the hardware and this technique is not new. Wipe-surviving malware has been talked about for around 2-3 years now. Original release of this advisory included working P.O.C code and devices tested. <br><br>It gets serious when you think of the problems associated with this mainly when the code is persistently infections as malware usually is. A good, non-malicious, present day example would be CompuTrace present in a good portion of laptops and some desktop/server equipment. Last year I did my own research into this for reasons almost like this article. In laymans terms, it works like this:<br><br>1. code is inserted somewhere into re programmable memory, computrace operates in a write once section of the bios that is untouched normally by bios updates. <br>2. The code is essentially a kernel level program that loads well before the rest of the operating system, giving the advantage of hiding the code by mutexs, polymorphic means, or as CompuTrace does by loading as a system driver like rootkits.<br><br>This makes it very difficult to impossible to detect in some cases. Hiding the code somewhere it can't be touched by normal flashing now renders the device useless as you would just keep reinfecting your machine each time you turn it on. Essentially it becomes a hardware level rootkit.<br><br>I won't go very much into detail but the principals are entirely the same.
      Nate_K
  • All this hack really does

    Is guarantee the market for original Apple-branded batteries.
    matthew_maurice
  • Message has been deleted.

    Rick_K
    • In fairness

      @Rick_K

      Apple batteries are, AFAIK, made by a single vendor, there are a limited set of batteries in circulation, Apple still uses the default password, and the batteries aren't removable, and are in phones that by definition are always on the internet. Regardless of who has what axe to grind against whom, the reason Miller likely targeted Apple is because their consistency makes them among the most universally compatible with a hack of this nature.

      By contrast, virtually every Dell and HP owner I know has a different battery type. Even if you argue that the dv6000 and dv9000 series laptops are more widely circulated with regards to the battery, virtually everyone I know with such a model has replaced their battery within two years of ownership. In the case of phones, know how everyone calls the Android ecosystem fragmented? Well in this case it's handy - HTC has some similar batteries along their product lines, but even they are on phones running different OSes. Samsung, Motorola, LG, and a flurry of other manufacturers also have different OSes and different batteries, so good luck picking an easy-to-exploit handset that's also in sufficient circulation.

      Joey
      voyager529
      • RE: Updatable firmware could be the new target for hackers

        @voyager529
        My point is that Miller is a terrorist. His plan is to scare people into not using products from Apple. He has also made comments about wanting to cause bodily harm to Mac users. If I am not mistaken; threatening people is against the law.
        Rick_K
  • RE: Updatable firmware could be the new target for hackers

    I once had my MacBook Pro's battery explode for no reason (WHILE IT WAS IN THE LAPTOP). Thankfully nothing else was damaged and Apple sent me a new battery free of charge.

    It is scary to know how many components have flash chips that can be re-flashed.

    Think of a recent Xbox 360 system update that flashed the DVD Drive with new firmware. At least the 360 S models' drives have been locked out from any more flashing (for now).
    ccfman2004
  • RE: Updatable firware...

    Those of you old enough to remember floppy disks; will probably remember that they had a <i>write protect</i> notch on them. A simple, but reasonably cost effective way to prevent accidentally erasing the contents of a diskette.

    A hardware solution would be the addition of a 3 pin Berg stick on the circuit board, and a DIP jumper. The center pin is the <i>write enable</i> line to the flash chip. It could take this form:

    1 o - WRITE PROTECT (factory default)
    2 o - ENABLE FLASH CHIP
    3 o - WRITE PERMIT

    A jumper between 1 and 2 prevents flashing; between 2 and 3 allows flashing.

    The drawback would be that if customer flashing is to be "permitted", then the pins either need to be accessible from the exterior, or the user needs to open the case.
    fatman65535
    • RE: Updatable firmware could be the new target for hackers

      @fatman65535 I remember those days. I've seen motherboards that have write protected bios flash chips just as you're describing with jumpers. Most definitely I agree with you that there should be a write protect. Remember the actually floppy, floppy disks? Where the write protect wasn't a slider like on the 3.5" diskettes, but a notch that you had to actually cover up...Ah, the bad ol' days. :)
      darylsonnier
    • RE: Updatable firmware could be the new target for hackers

      @fatman65535 I like that idea of hardware switches. If implemented correctly, it would make for a secure firmware, but with the switch of a jumper a user is free to update or hack around with their own firmware without having to jump through signature and encryption hoops.
      jonfleck
  • RE: Updatable firmware could be the new target for hackers

    Wrong. basic algebra, man. if you have as many equations as variables, it is solveable.<br><br>so, if you have the verification equation, just find values that match.

    So if you have 5000 signed drivers, and the signature equation has less than 5000 variables...

    well, you get the idea. we are all screwed.
    rockachu2
    • RE: Updatable firmware could be the new target for hackers

      And that doesn't include decompiling the verifier...
      rockachu2