According to a concerning new report from security researcher Charlie Miller, Apple’s MacBook line of notebooks have a security vulnerability that could allow a hacker to control your battery’s smart chip, potentially causing it to overheat and explode.
According to Miller, who plans to expose and provide a solution to the issue at August’s Black Hat security conference, these batteries contain a microchip that monitors and controls the battery function, telling your computer when to stop charging and so forth.
Apparently all of the chips within batteries used by Apple in their MacBooks have shipped with default passwords, meaning that anyone who becomes aware of the password can then learn to control the chips’ firmware, and potentially hijack the battery to do their bidding, whether than means refusing to charge, or even cause the battery to overheat and potentially catch fire or explode.
What’s more concerning is that, because the battery relies only on the chip within the battery, such an attack would be able to survive a reinstall of your system, and even a complete hard drive replacement.
According to Miller, these batteries just aren’t designed with the idea that someone might try to mess with them. Miller discovered the two main default passwords used to control MacBook batteries by analyzing a battery-related Apple firmware release. Further, Miller suggests that a hacker could easily write and upload a custom firmware to the batteries which would enable a hacker to steal data from your machine without your knowledge.
Personally, I’m not inclined to take this threat very seriously, judging by the fact that no known cases of such hijacking have yet been reported. Furthermore, the hack is very complicated, requiring the potential exploiter to implement a way to alter the battery firmware, which so far nobody has been able to do. In addition, reports indicate that even when researchers attempted to hijack a battery and cause it to catch fire, they have been unsuccessful, although they have been able to disable the battery.
In the end, I wonder what the worse problem is: that this battery vulnerability exists, or that Charlie Miller has just announced its existence to the world before providing a fix. Personally, I’m not too sure that Charlie Miller hasn’t just posed a much greater threat than the vulnerability itself ever could have.