News this morning is that a security researcher by the name of Charlie Miller discovered a new and potentially troublesome security vuln in Apple laptops. It seems that the CMOS battery is protected using default passwords, meaning the same password is set for every laptop. There is more discussion of the issue here at the Internet Storm Center and the original article, here.
So, ok…. What does all this mean?
Computer motherboards – the sort of backbone of your computer, where all your drives and goodies connect – have a small amount of writable memory on them that holds configuration for the hardware itself. You may never have seen this data, and that’s a good thing: modern computers spare their users the hassle of navigating text-only windows of inscrutable data and settings. Those settings can have huge impact on the usability of your computer, up to and including rendering the computer unusable, and the memory that holds this information is actually much larger than the amount of data held there. That means something else, like a virus, could potentially be stored there.
This system of data is held in memory by a small watch battery on the motherboard. Note that this is not the same battery that powers the computer while you work.
Because laptops are portable and therefore more susceptible to theft and shenanigans, laptop CMOS settings are usually protected by a password. In the case of Apple laptops, the study now shows that this password is a default password common to a host of other laptops. This means that a hacker could learn this default password and find their way onto any Apple laptop that has not had its default password changed.
What makes this especially bad is a twist of hardware design: Apple laptops have batteries that are permanently mounted inside the chassis. Unlike most laptops, whose batteries can be replaced, Apple laptops make due with a single battery. This means that if the CMOS is sufficiently nutted, you’re not going to be able to get into the system to fix the problem. At least, not through conventional methods.
So, what is the potential fallout from this new security vuln? This is a threat which is pretty limited, but very significant for someone who is affected. The likelihood is that, in order to infect or otherwise harm a laptop in this manner, the hacker has to be physically present. This is not the kind of vulnerability that lends itself to Internet attack because CMOS settings are set and unchangeable once the computer is fully booted.
If someone is able to get into the CMOS settings, the first and most obvious threat would be for them to render the computer either inoperable or else significantly impaired, then change the CMOS password to something the legitimate user does not know. This would constitute a single-user Denial of Service type of hack, as one user is not able to use their computer and unable to fix the problem.
More serious would be someone filling the CMOS memory with junk data and effectively rendering the computer unbootable at all. The gravity of this particular attack is that, if the computer can’t even boot to the CMOS settings window, it may not be possible to zero out and replace the junk data.
Probably the least-likely threat is the idea of a hacker putting a CMOS virus on the system. The amount of data that can be held in CMOS is actually pretty limited, so whatever virus is there would have to be extremely small. Still, it might be possible to place a virus in CMOS that can dial home and install a fuller, more serious virus onto the hard drive.
If the intruder is able to replace and rewrite CMOS settings, clearly you can as well. They call this “flashing” the CMOS, and its typically done to upgrade firmware or resolve hardware issues. But you could also flash the CMOS to get rid of errant settings, which is exactly what you’d want to do in the case of this type of attack. In the worst-case scenario, pulling the CMOS battery off the motherboard would discharge the memory and bring your computer back to factory default settings. Problem solved.
Except in this case, the battery is a permanent resident of the motherboard. There’s no pulling this battery and no way to reset the CMOS settings in the event that normal CMOS settings pages are inaccessible. And that’s the real threat.
Overall, this is a very low-level threat, given the nature of the attack. And it should be pointed out that all motherboards have CMOS and very few are protected by any kind of password, especially not desktops. Still, the fact that all Apple laptops are secured with the same password is arguably more serious than other laptops not having any password at all, if only because the spread of this knowledge among the hacking community makes exploiting it more tempting.