OS X Lion Raises Bar on Security, But Battery Firmware Vulnerability Surfaces

[wovel]

For Apple's sake and the sake of the product, shout outs for the person behind finding and talking about this severe security hole. How could have Apple missed this? Then again, OS X is now incredibly secure, mistakes happen.


But this needs to be addressed ASAP, or I know I'd honestly never buy an Apple laptop with this vulnerability - that's ofcourse to say, I wouldn't spend my well earned money on any other laptop if it's not a Mac, but with an issue like this, I would hold off until this is alleviated.

The severity remains to be seen. It does not provide an attack vector into the machine, it is merely something that can be exploited on an already compromised machine. Yes you can physically damage the machine, but you can physically damage a compromised machine in a lot of ways.

I am not sure if Miller's tool is the answer, i believe by randomizing the password you may prevent Apple from updating the firmware on the battery. (I suppose you could change it back to apply an update).

To me it looks like this is all Miller could find, so he ran with it for some headlines. Do other machines even have a security mechanism on the battery firmware? It is most likely to prevent end users from damaging their machines then it is a security feature. The linked article does not even pretend to assert this could be used to compromise a machine in any way. They do say if you found an unknown vulnerability in part of an already compromised machine, you could possibly use this to re-attack the machine. That logic can be applied to every component in the system that has firmware. There is no reason the same thing could not be done from the NIC or the video card.

 

[NT1440]

For Apple's sake and the sake of the product, shout outs for the person behind finding and talking about this severe security hole. How could have Apple missed this? Then again, OS X is now incredibly secure, mistakes happen.


But this needs to be addressed ASAP, or I know I'd honestly never buy an Apple laptop with this vulnerability - that's ofcourse to say, I wouldn't spend my well earned money on any other laptop if it's not a Mac, but with an issue like this, I would hold off until this is alleviated.

Um, over react enough?

You have to give them your laptop, then they'd have to know what to do with it. Seeing as it's getting as much press as its gotten, I'd say this a newly discovered exploit.

No real need to get worked up, unless you've had your laptop serviced at some shady place that took it apart for you.

 

[Tucom]

Yeah, IDK what got into me or just exemplifying worst case scenario. It's still a potentially severe vulnerability. I mean, as secure as any OS is, I've got the experience to know what could potentially be malicious code, but even then, there's always the possibility, but I was saying more for other users, who may, very well take their laptop to get serviced somewhere shady (which would just be a stupid choice), or download malicious code because many users are too ignorant or inexperienced to have the "potential malicious code flag go up even though it is on OS X."

Or, because it's on OS X, some people may think "nothing ever bad can happen", because no OS is ever 100% secure forever, unless updated appropriately.

However, all this has yet to be seen, right?

 

[munkery]

Does this exploit require physical access to the computer?

I would be surprised if firmware hacking of this type didn't require physical access to the machine.

I'm guessing root access is needed. I could be wrong, though.

The article describes moving from the firmware to the OS to use this as a vector to install malware.

So, it doesn't make sense to remotely exploit the OS to install malware into the firmware and then move the malware back into the OS. Unless the goal is to evade removal.

Some articles related to this refer to requiring an OS vulnerability to migrate malware from firmware to OS. So, DAC would need to be bypassed via privilege escalation which is not common in OS X.

Most firmware hacking involves booting the machine off an USB drive that uses a small distro of Linux to alter some hardware's firmware or scrape the RAM to disclosure sensitive data from memory (cold boot attack).

 

[Eidorian]

I think it'd be very cool to have a small super secure OS on hand, that said if its coming from the DoD and approved for public use (as in allowed for download) I can only assume there is some monitoring stuff in there (regardless of the official PR).

Yeah I carry a portable instance of Chrome around on a Flash drive. I could go as far as to make a bootable USB of Puppy Linux. I like the potential of using something vetted by the DoD. I read the Distrowatch quick review and the documentation.

 

[benthewraith]

Given the rapid evolution of linux, I'd say if Lion is on top, it's only for now.

That said, there are MANY variations of Linux, I just downloaded the one from the Department Of Defense to play around with:

http://linux.slashdot.org/story/11/07/21/235215/A-Linux-Distro-From-the-US-Department-of-Defense

Incoming lolsuit by Windows.

Didn't Microsoft go after Lindows for this?

 

[KnightWRX]

Safest full blown commercial OS out there. Though given that there really are only two players in the game....

What's not commercial about the following OSes ?

- AIX
- z/OS
- i5/OS
- HP-UX
- OpenVMS
- Solaris
- Oracle Enterprise Linux Server
- SuSE Linux Enterprise Server
- RedHat Enterprise Linux Server

... I could go on you know, we haven't even left the server segment yet. Once we get into embedded or commercial hypervisors... ouch, the list might be endless. All of these products are commercial (either paid for to a corporate entity for a license, or a license obtained for free on hardware purchases from a corporate entity, with paid-for support contracts).

Maybe you meant Consumer ?

 

[*LTD*]

*LTD*, you mad?

Why would I be mad about improved security in Lion?

 

[kiljoy616]

Does this exploit require physical access to the computer?

Yes that is the question, but considering how good hackers are getting, probably not even though they would first have to circumvention the OS itself to push code into the battery. Can't even imagine how they would be able to do that.

Still if that is all that is left I would say that we mac users can brag again about security and virus free, weeeeeeeeeeeeeeeeeeeeeeeee

 

[kiljoy616]

Why would I be mad about improved security in Lion?

People just don't get things like this, you need to explain it to the kiddies.

 

[munkery]

Maybe you meant Consumer ?

Definitely would have to limit the scope to top three desktop OSs in terms of market share if want to declare OS X is the most secure (tied for first with Linux).

Both iOS and Android are most likely still more secure than OS X.

 

[KnightWRX]

Yes that is the question, but considering how good hackers are getting, probably not even though they would first have to circumvention the OS itself to push code into the battery. Can't even imagine how they would be able to do that.

Still if that is all that is left I would say that we mac users can brag again about security and virus free, weeeeeeeeeeeeeeeeeeeeeeeee

What question ? Charlie Miller answers it : This requires a flaw in the OS to exploit. I/E, either a remote root vulnerability or a remote code execution and local privilege escalation vulnerability.

Once you have those, you're as good as having physical access to the device and can then use this battery vulnerability to either brick the battery like he said, rendering it useless (and thus forcing the user to pay Apple to fix the machine... ah good old DOS days type mischief and wanton chaos) or by replacing the firmware with your own, that does some nasty things which a OS reinstall can't even wipe.

 

[benthewraith]

What question ? Charlie Miller answers it : This requires a flaw in the OS to exploit. I/E, either a remote root vulnerability or a remote code execution and local privilege escalation vulnerability.

Once you have those, you're as good as having physical access to the device and can then use this battery vulnerability to either brick the battery like he said, rendering it useless (and thus forcing the user to pay Apple to fix the machine... ah good old DOS days type mischief and wanton chaos) or by replacing the firmware with your own, that does some nasty things which a OS reinstall can't even wipe.

Is it just because of the particular type of battery Apple uses or can this type of exploit theoretically attack Windows laptops as well?

Also, would using such an utility void any warranty that might be on the battery?

 

[KnightWRX]

Definitely would have to limit the scope to top three desktop OSs in terms of market share if want to declare OS X is the most secure.

Both iOS and Android are most likely still more secure than OS X.

I completely forgot about the mobile market. WebOS, QNX, Symbian, Android, MeeGo/Maemo and of course iOS... all consumer branded options.

Yep, so it's not commercial he meant, nor consumer...

Desktop/laptop, commercial, consumer OSes with more than 4% market share in the last sales quarter ? Let's hope ChromeOS doesn't ever catch on, that could throw another wrench in the "there's only 2 contenders".

Is it just because of the particular type of battery Apple uses or can this type of exploit theoretically attack Windows laptops as well?

Also, would using such an utility void any warranty that might be on the battery?

I can't answer those questions unfortunately. It's probably safe to say Apple isn't the only ones using said battery controller. Do other manufacturers change the password for random strings during manufacturing ? Put the controller in a sort of read-only mode ? The article doesn't say, and thus only TI knows the answer (and other manufacturers as well).

The utility probably doesn't void your warranty, but it will make it impossible to update the firmware legitimately if Apple ever pushes out an update. And without the update installed, you might have problems getting service for said battery (vendors do like their "update to the latest version!" answer to every problem you ever have).

 

[munkery]

Still if that is all that is left I would say that we mac users can brag again about security and virus free, weeeeeeeeeeeeeeeeeeeeeeeee

All this new security in Lion does nothing to mitigate malware, such as MACDefender, that relies completely on social engineering.

The user still has to apply a good amount of safe computing practices to be safe online. This will always be true.

 

[Drag'nGT]

I was really hoping that Apple would be aggressive with the security upgrades in Lion. These upgrades are reason enough to get Lion. This is really great news.

 

[munkery]

Let's hope ChromeOS doesn't ever catch on, that could throw another wrench in the "there's only 2 contenders".

An OS running in browser-only mode definitely has less attack surface than a full OS.

A comparison between ChromeOS and OS X run in browser-only mode, as this feature is now available in Lion, could be interesting.

 

[polaris20]

It's great to see Charlie Miller sharing info with Apple and TI. These are the types of hackers the world needs. Hopefully he's compensated for his work.

 

[crazy dave]

An OS running in browser-only mode definitely has less attack surface than a full OS.

A comparison between ChromeOS and OS X run in browser-only mode, as this feature is now available in Lion, could be interesting.

@ munkery, I would just like to thank you for your posts. They have been extremely informative and well explained on a subject I know little about. Cheers.

 

[Lyrrad]

Seems like solving this issue would be easy in theory for Apple, but in practice would require a lot of work if the firmware wasn't implemented properly.

If the password is stored as a hash in the firmware, then Apple could just flash the firmware with a new default password hash, so the plaintext password isn't in the new software update itself, and any future update would require the new secured password.

If the password isn't stored as a hash, the Apple can't just change the passwords on each MacBook, since hackers would be able to extract the new password from any software update. Apple would need to rewrite portions of all MacBook battery firmwares going back to 2006 to fix it. The more significant the changes between firmware in different battery models, the more work it would be to fix.

It also sounds like the battery firmware isn't requiring any software update to be signed by Apple. If that's the case, then to solve this issue for good, the firmware on the battery will need to be updated to only accepted signed updates in the future. Otherwise, any future battery firmware update will reopen the vulnerability to unpatched machines.

 

[Glockcubed]

I sound stupid here, but do I need kaspersky?

 

[AppleScruff1]

You're charging it wrong.

 

[sux2beyou]

Also, Mac OS X uses a salted SHA1 hash, which is still considered cryptographically secure. It is more robust than the MD4 NTLMv2 hash used in Windows 7.

Actually Lion upgrades hashes to SHA-512

 

[munkery]

And yeah, there are many variations of the Linux OS, however they still share certain core, root characteristics or else they wouldn't be called Linux, so I'd imagine certain Linux holes will be prevalent regardless of the distro?

Kernel exploits tend to carry across most distros. Exploitability of remote vulnerabilities varies due to many Linux distros not using security mitigations, such as ASLR and etc. Typically, Linux distros targeting lower resource systems omit more security mitigations. Security mitigations, specifically ASLR, are hard to implement without incurring more computational overhead leading to performance degradation.

I've read Win 8 is gonna more or less be completely rewritten from the ground up and will just have an emulation layer for legacy Windows apps, ala Rosetta, but given it's not emulating a different architecture, it wouldn't affect performance too much.

Windows 8 still uses the NT kernel. Windows 8 still uses the registry.

The only big change in Windows 8 is added support for more hardware types, such as ARM.

ARM Windows 8 will not have an emulation layer. Legacy binaries will not run on ARM Windows 8. Existing binaries will have to be recompiled to run on ARM.

Intel Windows 8 will continue to have a compatibility mode for legacy apps.

Apps developed after Windows 8 is released will most likely be universal binaries, much like during Apples PPC to Intel transition.

Unless MS splits the two platforms similar to the split between iOS and OS X.

Actually Lion upgrades hashes to SHA-512

Really? I did not know that. Thank you very much.

Where did you find that info?

 

[Nostromo]

Great that Osama is dead. He would have loved to explode batteries in the US.

Seriously: how would such an attacker find that password?

Is that password reset tool necessary for Lion users?