Black Hat: Charlie Miller explains Apple notebook battery hack

LAS VEGAS: Researcher Charlie Miller took to the stage at the Black Hat conference yesterday to discuss his headline-making Apple battery hack.
The principal engineer for Accuvant Labs gave a detailed presentation on the process used to reverse-engineer Apple's battery firmware and manipulate data which can render a battery useless.
In theory it could also be used as the starting point for denial-of-service and remote access attacks, according to Miller.
"You can imagine a situation where the code in the battery is actually attacking the operating system. This is going to survive reinstallation," he said.
Miller explained that the heart of the vulnerability lies in the way Apple notebooks react with a series of three chips which perform maintanance and safety operations, such as reporting current capacity and preventing cells from overcharging.
The researcher found that certain aspects of the battery's controls could be accessed using a default access key on the microcontrollers. Eventually Miller was able to dig even further and access the battery chips on the ROM level, where erasing data and 'bricking' the battery pack was possible.
Miller said that, as his research progressed, the project became more expensive. In addition to the hardware and software tools required to analyse and overwrite code, Miller said that mistakes resulted in the unintentional bricking of many battery units.
"I was ordering two or three batteries at a time, I was going through them so fast," he said.
Eventually, Miller developed an API to access the battery firmware as well as code to brick a battery pack and a tool which can prevent an attack, although the process is irreversable and will block future battery firmware updates from Apple.
Throughout his research, Miller said that one task he was never able to accomplish was reprogramming the battery to intentionally overheat and combust. Even if intentional overheating were possible, thermal hardware cut-off switches are likely to stop the cells catching fire.
"I never blew up a battery, and I'm not too worried about someone blowing up mine," he said.

Source : http://www.v3.co.uk/v3-uk/news/2099616/black-hat-charlie-miller-explains-apple-battery-hack