Apple laptop batteries vulnerable to firmware hack

dead_and_busted_macbook_batteries

When you think about hacking laptops, it’s highly unlikely that you would ever consider the battery as a viable attack vector. Security researcher [Charlie Miller] however, has been hard at work showing just how big a vulnerability they can be.

As we have been discussing recently, the care and feeding of many batteries, big and small, is handled by some sort of microcontroller. [Charlie] found that a 2009 update issued by Apple to fix some lingering MacBook power issues used one of two passwords to write data to the battery controllers. From what he has seen, it seems these same passwords have been used on all batteries manufactured since that time as well. Using this data, he was subsequently able to gain access to the chips, allowing him to remotely brick the batteries, falsify data sent to the OS, and completely replace the stock firmware with that of his own.

He says that it would be possible for an attacker to inject malware into the battery itself, which would covertly re-infect the machine, despite all traditional removal attempts. Of course, replacing the battery would rectify the issue in these situations, but he says that it would likely be the last thing anyone would suspect as the source of infection. While using the battery to proliferate malware or cause irreversible damage to the computer would take quite a bit of work, [Charlie] claims that either scenario is completely plausible.

He plans on presenting his research at this year’s Black Hat security conference in August, but in the meantime he has created a utility that generates a completely random password for your Mac’s battery. He says that he has already contacted Apple to in order to help them construct a permanent fix for the issue, so an official patch may be available in the near future.

[Thanks, Sergio]

iPhone to Arduino communications sans jailbreak

iphone_to_arduino

When Google released their ADK allowing Android smart phones to interact with Arduino-based devices, we’re sure there were at least one or two iPhone users who felt left out. Thanks to the folks over at Redpark, those people can now interact with an Arduino without having to jailbreak their phone.

For anyone looking to do any sort of iPhone/Arduino interaction, this is a good thing – except for the price. The 30-pin to serial cable is currently available over at Make for $59, which honestly seems pretty steep to us. When we first saw this announced, our initial thoughts were that we would see an open-source version in no time.

Unfortunately, that idea was short-lived, as we were quickly reminded of Apple’s MFI program. If you are not familiar, MFI (aka Made for iStuff) program limits what can be connected to an iDevice via licensing fees and a boatload of legal agreements. While we won’t be picking up this dongle any time soon, we’re all ears if someone has done any reverse-engineering of those pesky MFI chips.

G-men pay [Kyle McDonald] a visit

Looks like the men in black have paid [Kyle McDonald] a little visit. The United States Secret Service is investigating him for fraud and related activity for his People Staring At Computers project. We just took a look at that one yesterday, and were thankful that all he was doing was taking people’s pictures and not stealing their information. Looks like [Uncle Sam] wasn’t being as lenient–or it could have been Apple that did the complaining since mums the word from the corporate giant. [Kyle’s] also keeping his mouth shut after soliciting the advice of the Electronic Frontier Foundation.

Since details are scarce, it’s time to play armchair lawyer. Let us know in the comments what you think [Kyle] might be up against, and whether we’ll see this thing hit the courts or not. And remember not to take those comments as legal advice since none of us actually know what we’re talking about.

By the way, the gentleman seen above isn’t [Kyle], he’s one of the unsuspecting ‘victims’ with some wikimedia commons slapped in for effect.

[Thanks Craig, David, and others]

These Apple-inspired speakers would make Steve Jobs envious

isound_speakers

Reader [Brett] sent in the build log of his beautiful set of Apple-inspired computer speakers for us to look over. Having seen our recent post on DIY speakers, he thought he would throw his hat into the ring as well, and we’re glad he did.

He wanted a nice set of speakers to complement his iMac, but couldn’t find anything he liked that would provide the sound quality he was looking for while closely matching the design of the computer. The speakers are constructed out of MDF with CNC milled acrylic front and back panels. Hand-built crossovers reside inside the speaker boxes, which provides for a clean, polished look. He originally planned on building a pair of subwoofers into his desk, but ultimately settled on building a single subwoofer to sit on the floor.

The finished product is simply stunning, and we would have a hard time believing they were a DIY project if we didn’t see them come together piece by piece. Do you think you can match [Brett’s] handiwork?  If so, feel free to share your speaker builds in the comments.

Android on iPhone: New treats

It seems that the iPhone 2g and 3g are the newest phones to get Android 2.2, codenamed Froyo. The process for installing Froyo if you have a jailbroken device seems to get even easier every time, with this revision being as simple as adding a repository, downloading Froyo, and pressing go. Follow the link for a wonderful step by step guide, complete with screenshots to take out all of the guess work. Android on iPhone sure has come a long way since the first time we covered it.

[via reddit]

Apple Studio Display connector ports

[Warrior_Rocker] pulled off his own Apple Studio Display hack by removing the cable and adding ports. As we saw in Wednesday’s post, these displays use a cable with a proprietary connector that combines DVI, USB and Power. Instead of altering the cable, [Warrior_Rocker] removed it completely. By wiring up a standard barrel jack for power, a USB type-B socket, and a DVI port, he can now use standard video, power, and USB cables to connect to the monitor.

This project was actually submitted to us on May 25th and we missed it. It’s sad that sometimes tips fall through the cracks, and we’re sorry that we missed this particularly well-executed hack. [Warrior_Rocker] wrote in asking why his project didn’t qualify after seeing the similar post on Wednesday. So please don’t take it personally if your project doesn’t get posted. If you think it fits right in here at Hackaday and haven’t heard anything after two weeks or so, consider sending to us again.

Keyboard concept uses magic trackpad

This is a keyboard alternative that [Sebastian] is building from two Apple Magic Trackpads. The multitouch devices are a good platform for this because they’re designed to pick up several events at the same time. To prototype the locations of the keys he’s using printable transparency sheets. He gives you a sense of where the home row is with a dab of clear fingernail polish that you can feel with your digits.

He may laser etch these pads once the key location is just right. This should give a bit of texture in itself and do away with the need for nail polish but we still like the ingenuity of that solution. The device is being developed in Linux, with some kernel hacking to handle the devices. We asked about source code and [Sebastian] is hesitant to post it because he’s been getting a lot of kernel panics. It sounds like once he cleans things up a bit he’ll share his work.

Don’t forget, there’s an easy hack to do away with the batteries in these things.