Sign in with
Sign up | Sign in

Exploiting Hardware Vulnerabilities

Charlie Miller On Hacked Batteries, Cloud Security, And The iPad
By

Alan: Let’s talk about the battery exploit. How did you even come up with the idea about looking for vulnerabilities in the battery?

Charlie: At Black Hat last year I saw Barnaby Jack's ATM hacking talk and thought the coolest thing about it was how you could explain what he did to someone with no technical know-how. "You see that ATM? I can make it spit out money." I wanted to work on something like that and thought about the risks of battery safety for laptops. I set out to see if a remote attacker could blow up my laptop. I still don't really know the answer to that question, but I do know that 1) attackers can certainly get far into that subsystem and 2) I can't blow up a battery :) It was a fun (but long) project because I don't know that much about hardware, so I had to learn a lot as I went.

Alan: This exploit would be resistant to reformatting, right? The ultimate pre-boot malware.

Charlie: So, one of the things I show you can do is make modifications to the firmware that runs on the main chip on the smart battery. You can make it do whatever you want because Apple used default passwords on the chips (made by Texas Instruments). Code you put there would survive reinstallation of the OS, new hard drives, new motherboards, and so on. However, the code cannot directly affect the OS or hard drive, so in order for it to be malware, it would have to attack the OS through some kind of vulnerability in the way the OS handles messages from the battery. Now, I don't know if such a vulnerability exists, but I do know that whoever wrote that code wasn't thinking that the battery would be sending malicious data, so I wouldn't be surprised to find one!

Alan: What about systems implementing trusted boot and things like Intel Trusted Execution Technology? Could that have prevented this attack?

Charlie: No, that wouldn't help. The boot process would all be fine and dandy and after the OS was up and running, the battery would attack it (if such a vulnerability exists) and then inject code.

Alan: When you or any other security researcher discovers system vulnerabilities like this, it’s natural for people to assume that this is the "first discovery" of the problem. Indeed, often times it is only days after a vulnerability is reported that attacks show up based upon the newly-published vulnerability. But we know the bad guys are talented. The bad guys may actually have more money behind them. As the stakes get higher, when do we begin to assume that the bad guys have beat us to discovery and that any vulnerability that is reported is already actively being exploited and we just didn’t know?

Charlie: This is a really interesting question. I'm always worried that other researchers are going to discover the same things I discover before me. In fact, I had a Mac OS X exploit ready to go at Pwn2Own this year and didn't get a chance to use it because someone else beat me to it. Then, a few days later, Apple patched it, so someone else had independently found it (or pwned me and stole!) That was something I liked about the battery research. because I thought nobody would ever think of this wacky idea and I could take my time looking at it. But it turns out that Barnaby Jack (the ATM hacking guy I mentioned earlier) had looked at exactly the same thing and discovered many of the same things I found about a year ago and never told anyone because he didn't catch his laptop on fire. So no matter how clever you are, the odds are that somebody else already knows how to do what you're trying to do. People think I find good stuff, but I'm one guy doing this in the evening for fun with no budget. Compare that to all the money the U.S. government (or China) spends on cyber security. It is hard to imagine they don't know some things we haven't figured out yet.

Display all 16 comments.
This thread is closed for comments
  • 0 Hide
    Darkerson , August 2, 2011 4:38 AM
    Pretty interesting read. Keep up the good work!
  • 2 Hide
    pepe2907 , August 2, 2011 5:53 AM
    Good call, but whoever actualy read the license agreements knows software manufacturers refuse any possible liability for any damages.
    If something is going to change, this should be the first. With these license agreements you can't claim anithing. But this change will not be easy.
  • 0 Hide
    DavC , August 2, 2011 7:53 AM
    interesting read!
  • 0 Hide
    mayankleoboy1 , August 2, 2011 3:34 PM
    Quote:
    No matter how much security you build into a system, if the user really wants to run a piece of malware they think will show them some naked pictures, they're going to figure out a way to run that program.


    exactly
  • 1 Hide
    mayankleoboy1 , August 2, 2011 3:40 PM
    if only software could be people-proof.
  • 2 Hide
    jacobdrj , August 2, 2011 5:05 PM
    mayankleoboy1if only software could be people-proof.

    "A farmer notices his chickens are getting sick, he calls in a physicist to help him. The physicist takes a good look at the chickens and does some calculations, he suddenly stops and says "Ive got it, but it would only work if the chickens were spherical and in a vacuum."" - Big Bang Theory...
  • -1 Hide
    slicedtoad , August 2, 2011 5:46 PM
    So is it safe to say that as an end user we shouldn't be over concerned about personal computer security?
    Here's my checklist. Don't download unknowns, don't password reuse (for the important stuff anyway), get a decent av (like eset) and keep your computer up to date.
    Multi-layered security on a home pc doesn't make sense, nor does 15 character alpha-numeric passwords (in most cases). No one is going to specifically target you or your pc.
  • -5 Hide
    weaselsmasher , August 2, 2011 6:17 PM
    An awful lot of "people like me" "researchers like me" "guys like me" "me me me me me" there.

    What's this article really about, security or celebrity?
  • -3 Hide
    christop , August 2, 2011 7:20 PM
    Enjoyed this..Wish I had a few 0days sitting around to sell..
  • 0 Hide
    PreferLinux , August 2, 2011 9:25 PM
    pepe2907Good call, but whoever actualy read the license agreements knows software manufacturers refuse any possible liability for any damages.If something is going to change, this should be the first. With these license agreements you can't claim anithing. But this change will not be easy.

    Yes, but whether that is fully legal or not is another story.
  • 4 Hide
    cangelini , August 3, 2011 1:54 AM
    weaselsmasherAn awful lot of "people like me" "researchers like me" "guys like me" "me me me me me" there.What's this article really about, security or celebrity?


    I'm inclined to answer "security" and a guy who knows an awful lot about it ;-)
  • 3 Hide
    AlanDang , August 3, 2011 2:28 AM
    weaselsmasherAn awful lot of "people like me" "researchers like me" "guys like me" "me me me me me" there.What's this article really about, security or celebrity?


    Nothing wrong with both, right? The people I invite to interview are people who do a good job of explaining complex technical things in a straightforward manner. At some point though, if you get to keynote an international NATO conference on cyber security, you deserve a little bit of bragging rights. But truthfully, Charlie is still a normal, down-to-earth-guy when doing an interview... and that's a win for everyone. You guys get access to cool content that's rarely discussed at other websites, and it's not too boring to read... and it's free. I can tell you it's way more fun talking with engineers as opposed to PR people...
  • 0 Hide
    Anonymous , August 3, 2011 4:29 PM
    @Alan Dang, you wrote: "But it seems like in today's world, the end-user is playing a less important role. The end-user with the latest software updates who is also savvy to social engineering cannot protect himself against hackers who steal credit card data from Sony."
    This is incorrect: many banks sell "virtual" credit cards services: these CC number work only for one purchase, so users *can* protect themselves.
    But the sad part in this case is that it's the security conscious users who pay the cost of the protection against hackers, not Sony and the other stupid companies storing credit card numbers on unsecured servers..
  • 0 Hide
    dndhatcher , August 3, 2011 10:29 PM
    The article is very interesting. I tried to listen to the keynote and my eyes glazed over. He's obviously got expertise with the subject matter, but could use some presentation training before he starts on the lecture circuit.

  • 0 Hide
    slicedtoad , August 4, 2011 12:53 AM
    @dndhatcher
    really? i delayed watching it for a while cause it was long but damn was it interesting. He certainly isn't in PR but he's not bad at speaking. Certainly better than mr. facebook.
  • 0 Hide
    Anonymous , August 10, 2011 10:01 AM
    Battery as an attack vector is at least (almost) as old as the original PSP. One way to install custom firmware to it is to modify the battery. Search for "pandoras battery" if you want to know more.