Hacker Halted: Charlie Miller on Battery Firmware Hacking


Dr. Charlie Miller, principal research consultant for Accuvant LABS and four time Pwn2Own winner, discusses Battery Firmware Hacking.

Charlie Miller spent five years as a Global Network Exploitation Analyst for the National Security Agency. During this time, he identified weaknesses and vulnerabilities in computer networks and executed numerous successful computer network exploitations against foreign targets.

He sought and discovered vulnerabilities against security critical network code, including web servers and web applications.

Since then, he has worked as a Senior Security Architect for a financial firm and Principal Security Analyst for Independent Security Evaluators, a security consulting firm. He is currently Principal Research Consultant at Accuvant Labs.

His areas of expertise include identifying vulnerabilities in software, writing exploits, and computer attack methodology. He is a Red Hat Certified Engineer (RHCE), GIAC Certified Forensics Analyst (GCFA), and is a Certified Information Systems Security Professional (CISSP).

He has a B.S. from Truman State University and a Ph.D. from the University of Notre Dame.

Presentation Abstract:

“Ever wonder how your laptop battery knows when to stop charging when it is plugged into the wall, but the computer is powered off? Modern computers are no longer just composed of a single processor. Computers possess many other embedded microprocessors.”

“Researchers are only recently considering the security implications of multiple processors, multiple pieces of embedded memory, etc. This paper takes an in depth look at a common embedded controller used in Lithium Ion and Lithium Polymer batteries, in particular, this controller is used in a large number of MacBook, MacBook Pro, and MacBook Air laptop computers.”

“In this talk, I will demonstrate how the embedded controller works. I will reverse engineer the firmware and the firmware flashing process for a particular smart battery controller. In particular, I will show how to completely reprogram the smart battery by modifying the firmware on it.”

“Also, I will show how to disable the firmware checksum so you can make changes. I present a simple API that can be used to read values from the smart battery as well as reprogram the firmware. Being able to control the working smart battery and smart battery host may be enough to cause safety issues.”

Infosec Island was proud to be a media sponsor for the Hacker Halted Miami event.