RESEARCHER Charlie Miller took to the stage at the Black Hat conference in Las Vegas yesterday to discuss his headline making Apple battery hack.
During the conference, the principal engineer for Accuvant Labs gave a demo of the process used to reverse-engineer Apple's battery firmware and manipulate data, which can render a battery useless. In theory it could also be used as the starting point for denial-of-service and remote access attacks, according to Miller.
"You can imagine a situation where the code in the battery is actually attacking the operating system. This is going to survive reinstallation," he said.
The heart of the vulnerability lies in the way Apple uses a series of three chips that perform maintenance and safety operations, such as reporting current capacity and preventing cells from overcharging.
The researcher found that certain aspects of the battery's controls could be accessed using a default access key on the microcontrollers. Eventually Miller was able to dig even further and access the battery chips on the ROM level, where erasing data and 'bricking' the battery pack was possible.
Miller said that, as his research progressed, the project became more expensive. In addition to the hardware and software tools required to analyse and overwrite code, mistakes resulted in the unintentional bricking of many battery units.
"I was ordering two or three batteries at a time, I was going through them so fast," he said.
Eventually, Miller developed an API to access the battery firmware as well as code to brick a battery pack and a tool that can prevent an attack, although the process is irreversible and will block future battery firmware updates from Apple.
Throughout his research, Miller said that one task he was never able to accomplish was reprogramming the battery to intentionally overheat and combust. Even if intentional overheating were possible, thermal hardware cut-off switches would be likely to stop the cells from catching fire.
"I never blew up a battery, and I'm not too worried about someone blowing up mine," he said. µ