Here’s a question for you. If you wanted to create some piece of malware that would survive replacing the hard drive, flashing the BIOS, and reinstalling the O/S from a clean set of disks, and with no network connection, how would you do it? Seems impossible, doesn’t it? How could an infection get back in without any way for the infection to have survived the “wipe and start over” process?
Well, a well-known hacker named Charlie Miller found a way… the battery.
That’s right, the battery. It turns out that the latest models of Apple’s MacBooks have “smart” batteries with a chip to monitor things like battery usage, status, and so on. And, apparently, none of the designers thought to secure the battery’s microcontroller beyond a simple password, which is the same for every battery.
According to an article at geek.com:
By reverse engineering the firmware used for the chips he can tell the laptop anything he wants about the state of a battery. That makes it very simple to render the battery unusable and requiring the user to buy an expensive replacement. Although he didn’t attempt it, overloading the battery to the point where it overheats causing damage is also feasible.
It gets worse, though. Instead of relaying battery status updates to Mac OS, Miller believes it would be possible to inject malware on to the system through the chip.
As quoted in an article at tekgoblin.com:
“You could put a whole hard drive in, reinstall the software, flash the BIOS, and every time it would re-attack and screw you over. There would be no way to eradicate or detect it other than removing the battery.”
You can read Charlie Miller’s own description on the blackhat.com site archives, where he gave a talk about it last month. Note that many laptops come with such “smart” batteries, which allow things such as charging (but not over-charging) the battery even with the computer off.