Security researcher Charlie Miller is no stranger to hacking Macs and iPhone via their software. This year at the Black Hat security conference, however, Miller took aim at something other than the Apple’s operating system.
Miller noted that normally he looks at more obscure parts of OS X and iOS but last year he saw Barnaby Jack’s talk about hacking ATMs. That talk inspired him to find an area of research that he could more easily explain.
To start off, Miller refuted media reports that claimed that he could explode Apple Mac batteries.
“I didn’t suceed despite what you might have read in some blogs,” Miller said. “But I did do some pretty cool stuff.”
Miller explained that the brains of the battery is on a chip that is part of the battery. That chip knows how much capacity the battery has and it has a controller that communicates with the charging mechanism and the operating system.
“What could happen? One thing I can definitely do is I can brick a battery so you can make someones battery not work anymore,” Miller said. “I can also reprogram the battery to report whatever I want to the OS.”
Miller said that with such a capability, a researcher could make it look like the battery is a new one as well even if it was old. He joked that you could then take an old battery back to Apple and ask for a new one.
Miller added that if he could put code on the battery chip, it would also survive a re-installation of the operating system. Such code could potentially constantly attack the operating system.
At the root of Miller’s research is one fundamental flaw that enabled him to do what he wanted. Miller discovered that Apple uses a Texas Instruments chip that has an unseal key. That key is what allowed him to make changes to the battery. As it turns out, Apple is using a default unseal key that Miller was able to easily discover with a little help from Google.
“If I had to summarize this whole talk on Twitter, Apple didn’t change the passwords which allowed me to do stuff,” Miller said.
Miller added that the unseal password was the same on every Apple MacBook Pro and AIR he could examine.
As part of his evaluation, Miller also looked at aftermarket batteries. Ironically, the aftermarket battery makers were not using the default unseal password and as such he could not hack thos batteries.
“I didn’t blow up a battery but if you’re worried about it, I created a tool that will change the password,” Miller said.
Miller’s battery password tool is called Caulkgun. Miller warned however that he hasn’t tested his tool widely. He also warned that if Apple releases an Apple battery firmware update the update will fail, since the password has been changed.