In the wake of the recent pager attacks, we have received numerous questions from friends and customers about the risks of batteries in supply chain attacks. It should go without saying that battery safety is a very important topic and supply chain security is at the core of our mission at Eclypsium. However, these recent attacks are quite different from the supply chain threats and risks that most organizations are likely to encounter.
For starters, the physical insertion of explosives into devices in the supply chain is exceedingly rare and solely the realm of physical supply chain security. It is far more likely that organizations will face risks from unsafe components (e,g, batteries that are prone to fire) or software exploits that can cause life-threatening issues in otherwise unmodified devices. However, even these topics are rife with misinformation and FUD. So with that in mind, we thought it would be a good time to take a closer look at these technologies to understand how they work, the attack surfaces, and the risks involved.
Batteries and Thermal Runaway
Lithium-ion and Lithium-polymer are common battery technologies used in a wide variety of modern devices because they have excellent energy density, but one of the risks associated with these types of batteries is ‘thermal runaway’ under certain circumstances. Thermal runaway is a vicious cycle inside the battery where raising internal temperatures in a battery causes damage to the internal structures of the battery itself, which causes further temperature increases and additional damage in an increasing feedback loop, leading to the destruction of the battery and potentially setting things around it on fire.
This is a problem in all devices that use these types of technologies, such as pagers, phones, laptops, mobility devices and other electric vehicles, and even residential and commercial energy storage systems, such as those connected to backup generators and solar panels. As more battery-enabled devices are becoming used in more diverse environments, this is becoming a more critical safety issue to understand, so the Fire Safety Research Institute has an ongoing project to research the hazards that lithium-ion batteries pose in residential settings.
Due to this safety issue, modern devices typically have integrated thermal protections to try to break the circuit if the battery gets too hot. Although not specifically related to battery technology, this old article by EDN provides an example thermal-protection circuit that could be used on a circuit board to detect rising temperatures and shut off the power to associated components.
These integrated thermal protections are generally effective to protect against software issues or the temperature rising too much due to too much current draw, so the most common cause of thermal runaway being initiated in these modern devices is that the battery is physically damaged due to external forces, which results in internal temperatures rising and the device to enter into that destructive feedback loop.
There have been a variety of examples of phones causing fires due to thermal runaway in their batteries and it’s easy to find videos of batteries catching fire on the internet, but one particularly high profile example was when the US Department of Transportation issued an emergency order banning Samsung Galaxy Note7 devices from being taken on airplanes under any circumstances, not just in checked bags. In that case, that particular phone was recalled because a significant number of them caught fire without any obvious physical damage to the device itself. It’s not clear what thermal protections existed in the phone, but it was clearly insufficient.
Now that we understand a little more about some of the implications of failed battery protections, let’s take a closer look at the complexity of some of these components and how they interact with each other.
In addition to things like thermal protection circuits, rechargeable devices include additional components that interact with each other to keep track of and manage things like the current battery charge level, when the battery is full, the charging rate, and the discharge rate.
Diagram from Charlie Miller’s presentation
In addition to all the different types of firmware we’ve already seen in a laptop or phone such as the UEFI firmware and power management controller and charging controller firmware, systems with rechargeable batteries will also have components in the battery itself in order to monitor the battery and tell the charging system its status via a messaging interface which has been standardized via the Smart Battery System specifications.
Because this is a more complex system than just a simple signal to continue or to halt charging, these components in the battery typically run updatable firmware themselves. Back in 2011, Charlie Miller presented at Black Hat and DEF CON about research he’d done into Smart Battery System components which were being used by Macbooks, the firmware that was running inside the battery itself, and the vulnerabilities that he’d found in them.
At the time, Miller’s experiments only resulted in a series of bricked Macbook Pro batteries, but he theorized that it could be possible to bypass some of the safety fuses in the batteries to cause the batteries to catch fire.
Although there have been many examples of batteries catching fire due to physical damage and even a few without known physical damage, we have not yet found any examples of batteries catching fire due to thermal runaway that was triggered solely through software means.
Battery-Related Anti-Tamper Features
In addition to just looking at the battery components in isolation, some manufacturers have started approaching them as part of a holistic system-wide view and adding tamper detection to log and alert the user when a battery has been removed or replaced.
Similar to Chassis Intrusion detection, these events can be used to help identify when the system may have been tampered with. In addition to just letting the user know that the battery has been removed or replaced, some additional system protection mechanisms may depend on continuing to receive power from the battery even when the laptop is turned off.
For this reason, the alert message or log event that the battery has been removed can be an indicator that something other than just the battery itself may have been tampered with.
Mitigations
One thing to watch out for is that any swelling of a battery is a big indication that the battery has been damaged and needs to be replaced immediately because it’s a fire hazard.
Usually, that is not as obvious as this particularly egregious example, but more subtle swelling of devices like laptops and phones is a huge giveaway that there’s something wrong and the device needs to be set aside in a safe location and replaced as soon as possible.
Another place to watch out for these types of issues are UPS batteries. These typically have a limited lifespan and even though they appear to still be working after they should have been replaced, they can also cause fires if they’re not replaced when needed.
Conclusion
For most users, the only time they will think about their battery is when it needs a charge. But as security professionals, we have to be willing to take a more critical view of these components and the supply chains that produce them. The recent attacks where pagers were loaded with physical explosives present an example of batteries in the supply chain being used in a kinetic attack. However, since batteries increasingly run their own firmware, we also have to be cognizant of batteries being targeted in software-focused supply chain attacks and other cyberattacks. In both cases, organizations will need mechanisms to verify that these components are authentic and have not been tampered with in the supply chain.
Of course, the most common battery-related risk an organization will face will likely stem from batteries that are damaged or failing. It’s important that IT staff as well as users are trained to regularly inspect devices and monitor for signs of problems. Organizations should also maintain an up to date inventory of the components in their various devices, including the batteries. Thus when a particular vendor or model of device or a specific battery is found to have problems, teams will be able to quickly hone in on the devices with the greatest risk.
