Miller to detail Apple battery firmware risks

A talk planned for this year's Black Hat Conference raises an ugly spectre that previously only existed in the minds of tabloid writers covering this exciting new 'Internet' thing with these terribly evil 'hackers:' the possibility that a ne'er-do-well can reach into your home remotely and put your very life at risk.

While previously relegated to hack-job newspaper columns from the 90s and poorly written films, recent research from security expert Charlie Miller suggests that the growing complexity of what was originally a simple system could lead to malware that causes very real physical damage.

In a talk titled Battery Firmware Hacking, due to take place at the Black Hat Conference in Las Vegas between the 30th of July and the 2nd of August, Miller is expected to demonstrate a method for modifying the firmware of an embedded controller used in the lithium ion and lithium polymer batteries of Apple's MacBook, MacBook Pro, and MacBook Air laptops.

"In this talk, I will demonstrate how the embedded controller works," Miller explains on his talk synopsis page. "I will reverse engineer the firmware and the firmware flashing process for a particular smart battery controller. In particular, I will show how to completely reprogram the smart battery by modifying the firmware on it."

It's the latter modification that is giving the mainstream press a field day: by changing the operating parameters of the battery's controller, it's possible to render the laptop useless by telling it that it can no longer hold any charge. Worse, it would be - theoretically - possible to convince the controller that the battery can hold additional charge when it is, in fact, full.

To prevent this kind of modification - and to prevent the use of unauthorised batteries - Apple uses a password to close off the firmware from being updated by an unauthorised source. Unfortunately, that password is common across all Apple products, and if Miller's doing a demonstration at Black Hat you can bet it's going to be public knowledge soon enough.

"Being able to control the working smart battery and smart battery host," Miller warns, "may be enough to cause safety issues, such as overcharging or fire."

That's a scary thought: while crackers were previously only capable of ruining your virtual life by stealing your credit card details and getting your email accounts blocked for spamming, they are now capable of turning your laptop into a ticking timebomb.

It's not as though the destructive power of lithium batteries isn't well known: manufacturers including Dell, HP, Sony, and Apple itself have recalled faulty units in the past based on a risk of fire. When a lithium fire starts, it burns fiercely and is difficult to extinguish, and one could easily spread to nearby materials to create a deadly conflagration.

Such a scenario, thankfully, seems unlikely in the extreme. While Miller points out that modification of the firmware 'may' be enough to cause a fire, such an outcome is near-impossible with a properly manufactured battery. Although faulty batteries have caught fire in the past, a firmware-modified 'bomb battery' contains a fuse that is designed to destroy the battery's ability to charge if it reaches a temperature well above normal operating levels but far below that at which it will ignite.

Apple has so far not responded to our request for comment on Miller's claims, but it's worth mentioning that it is not unique in the use of the controller that Miller has targeted for his talk.