Hiding malware in smart batteries

Charlie Miller, a respected security researcher, has discovered vulnerabilities in the smart batteries for Apple laptops and mobile devices; he can manipulate their firmware to render them unusable or to cause them to misreport their remaining charge to the OS. The new firmware can survive an OS replacement, leading Miller to speculate that it could be used to store persistent malware that restored itself after the disk was erased and the OS was rewritten.

What he found is that the batteries are shipped from the factory in a state called "sealed mode" and that there's a four-byte password that's required to change that. By analyzing a couple of updates that Apple had sent to fix problems in the batteries in the past, Miller found that password and was able to put the battery into "unsealed mode."

From there, he could make a few small changes to the firmware, but not what he really wanted. So he poked around a bit more and found that a second password was required to move the battery into full access mode, which gave him the ability to make any changes he wished. That password is a default set at the factory and it's not changed on laptops before they're shipped. Once he had that, Miller found he could do a lot of interesting things with the battery.

"That lets you access it at the same level as the factory can," he said. "You can read all the firmware, make changes to the code, do whatever you want. And those code changes will survive a reinstall of the OS, so you could imagine writing malware that could hide on the chip on the battery. You'd need a vulnerability in the OS or something that the battery could then attack, though."

Apple Laptop Batteries Can Be Bricked, Firmware Hacked
(via /.)

(Image: Old Ray-O-Vac Batteries, a Creative Commons Attribution (2.0) image from deanj's photostream)