Charlie Miller, a respected security researcher, has discovered vulnerabilities in the smart batteries for Apple laptops and mobile devices; he can manipulate their firmware to render them unusable or to cause them to misreport their remaining charge to the OS. The new firmware can survive an OS replacement, leading Miller to speculate that it could be used to store persistent malware that restored itself after the disk was erased and the OS was rewritten.
What he found is that the batteries are shipped from the factory in a state called "sealed mode" and that there's a four-byte password that's required to change that. By analyzing a couple of updates that Apple had sent to fix problems in the batteries in the past, Miller found that password and was able to put the battery into "unsealed mode."
From there, he could make a few small changes to the firmware, but not what he really wanted. So he poked around a bit more and found that a second password was required to move the battery into full access mode, which gave him the ability to make any changes he wished. That password is a default set at the factory and it's not changed on laptops before they're shipped. Once he had that, Miller found he could do a lot of interesting things with the battery.
"That lets you access it at the same level as the factory can," he said. "You can read all the firmware, make changes to the code, do whatever you want. And those code changes will survive a reinstall of the OS, so you could imagine writing malware that could hide on the chip on the battery. You'd need a vulnerability in the OS or something that the battery could then attack, though."
Apple Laptop Batteries Can Be Bricked, Firmware Hacked
(Image: Old Ray-O-Vac Batteries, a Creative Commons Attribution (2.0) image from deanj's photostream)
Most Facebook users have no idea how the company tracks and profiles everything they do to target ads, a new Pew Research study confirms.
China’s Huawei is the subject of a U.S. criminal investigation in which federal prosecutors say the Chinese tech company stole trade secrets from U.S. business partners including technology behind a robotic device T-Mobile used to test smartphones, called “Tappy.”
Following up on our earlier story about Roku re-platforming Alex Jones and Infowars, it looks like Roku got so much criticism from users, they’ve reversed course and will remove the Infowars app.
These days, there isn’t much our iPhone camera can’t do – except feel like an actual phone. Despite years of steadily increasing resolution and image sensing technology, we’re still taking shots awkwardly with two hands, fumbling for the shutter button. Leave it to an avid photographer to design Shuttercase, a versatile iPhone case that solves […]
Still determined to keep those New Year’s health resolutions? If you’re going to stick with the exercise plan, it’s enough of a challenge to budget your time. No need for your financial budget to take a hit, too. Here’s a more convenient – and cheaper – alternative to a gym membership or Peloton bike: Two […]
Want a career in web design? It’s true that these days, most anyone can throw up a page or two. But for true workhorse web design, you’ll sometimes need to match the platform to the project. Enter the Complete Front-End Developer Bundle, an educational grand tour around the best tools for the web. For beginners, […]