Written by Varta Admin
By Stefan hald Field Applications Engineer (Power Pack Solutions), VARTA Microbattery GmbH www.varta-microbattery.com
The problem of non-approved replacement batteries has been creeping up on makers of battery-powered consumer devices in the past five years. Now, it has reached crisis point: counterfeit battery manufacturers, mostly based in Asia, have grown highly capable technically and have sophisticated manufacturing facilities at their disposal. Owners of products such as smartphones, portable DVD players, portable games players and personal music players can now easily find on the internet a replacement rechargeable battery when the original reaches the end of its life. The non-approved version will generally be much less than half the price of the approved battery sold under the OEM’s brand. But the non-approved version is likely to be inferior in a number of important ways:
The use of counterfeit batteries can therefore lead to undeserved and unforeseen rises in warranty claims and product-replacement costs, and can adversely affect the reputation of the manufacturer’s products. This highlights the importance to OEMs of implementing effective battery authentication, to ensure that only original, approved batteries will function in a device.
Of course, the problem only arises with the use of custom batteries in a unique form factor. An alternative option is always available – to use standard cells with discrete control and protection circuitry. Several benefits will follow: high-quality standard cells are cheap, widely available from multiple sources, and are easy for the end user to replace when necessary. And of course, there is no counterfeit market in standard cells.
The use of standard cells in high-volume portable devices is rarely appropriate, however, because the mechanical design of devices normally requires a unique, nonstandard battery form factor. In addition, available standard cells will often fail to provide the exact power capacity required by the application, forcing the OEM to compromise either on size – a battery pack that is too large – or capacity – an inadequate operating time between charges. A custom battery, while more expensive than a battery pack based on standard cells, optimises power density, power capacity and shape.
Shape was once the main way in which an OEM protected its battery against nonapproved replacements. But non-original battery producers’ equipment has improved enormously in the past five years. Now the development and tooling costs involved in replicating a unique form factor and terminal layout have fallen to such an extent that a unique size and shape offer only a small deterrent to non-original manufacturers. This approach will only be suitable in low-volume applications, where the potential sales revenue from non-approved batteries will barely balance the nonreusable engineering and production costs.
Consumer device manufacturers seeking to add a layer of active security to their battery pack have in the past implemented security via a battery identification scheme. The operation of such a scheme is straightforward: a small memory chip holds a battery identification number. On power-up, the host device challenges the battery identification chip: if the host recognises the battery identification number it provides, it permits normal operation. If it does not, it can provide an alert to the user, disable certain functions or even shut down the device entirely.
This scheme is simple and inexpensive to implement (see Figure 1), since it simply requires the addition of a dedicated memory chip to the battery pack (suitable devices are widely available at a cost of less than $1), and the implementation of a challenge-and-respond routine in the host.
Fig. 1: typical battery pack circuit design that implements ‘unique ID’ security Unfortunately, the static nature of this security scheme (the battery identification number is the same in all devices sharing the same part number) makes it easy to copy: non-original battery manufacturers can capture the identification number using an oscilloscope. As a security mechanism, this is rather like locking the door to your house and leaving the key under a flower pot. OEMs therefore require a battery security mechanism that produces a different data stream every time the host challenges it, in order to defeat the counterfeiter’s oscilloscope. This can be implemented today using standard ICs and proven security algorithms.
The basic operation of such a challenge-and-respond scheme involves the generation of a random data stream by the host (see Figure 2). This random data stream is communicated to the battery, which then performs a transform function on the data stream using a secret key held by the battery and the host. The battery then sends back the transformed data stream to the host. Meanwhile, the host performs the same transform function on the random data. If the two values provided by the battery and the host match, the battery is authenticated and the host permits it to function normally.
Fig. 2: operation of challenge-and-respond battery authentication scheme This scheme ensures that the data streams passing between host and battery are different every time, so capturing them on an oscilloscope does not facilitate counterfeiting.
The secret key used in the transform operations is a code hidden on the host device and the battery pack’s security IC. This secret is the source of the device’s security, which means the OEM can use a public authentication transform algorithm – such algorithms are proven to be extremely safe from attacks on their integrity.
The most secure forms of challenge-and-respond scheme today implement the SHA- 1/HMAC algorithm, which is widely used for authentication of online banking transactions and Virtual Private Networks. Here, the transformation of the host’s ‘message’ to the battery results in a condensed ‘message digest’.
This security scheme operates in two stages (see Figure 3). First, the host uses its secret key to read a 128-bit encrypted ID stored on public memory in the battery’s security IC. It then generates a 160-bit random challenge and transmits it to the battery’s security IC. This then uses its 128-bit ID, stored as plain text (ie unencrypted) in private memory, to transform the random challenge and produce a message digest.
At the same time, the host performs the same transform function on its random challenge, using the decrypted ID it has just acquired from the battery. Fig. 3: operation of high-security authentication scheme using SHA-1/HMAC algorithm
If the battery’s and the host’s message digests match, the battery is allowed to operate normally. As before, the security resides in the secret key, which the host holds. But the advantage of the SHA-1 algorithm is that it generates a large 160-bit challenge: this produces 2,160 possible results, and this is a large enough number to make counterfeiting impracticable. In fact, the scheme is more vulnerable to human exposure than technical, through the inadvertent or deliberate release of the secret key by staff at the OEM itself.
This high-security circuit can be implemented in a battery pack using a dedicated security IC – such devices typically cost less than $1.50 in volume. The implementation of such a scheme also entails a small extra production cost, as a special test routine will need to be developed and run in the factory.
Balancing benefits and costs
Consumer electronics OEMs have strong reasons for using custom batteries, which enable smaller, sleeker end products with longer operating time between charges. The size of the reputational and warranty-redemption costs that could arise from the widespread use of counterfeit replacement batteries is, in practice, impossible to quantify exactly.
What is certain is that extremely secure authentication technology can be applied to battery packs at a cost per unit of just $1-$1.50. The level of protection afforded to batteries is the same as that applied by banks to the millions of transactions carried out on the internet every day – and that is certainly enough to deter attempts by non-approved battery vendors to copy original batteries.
VARTA Microbattery develops and manufactures custom battery packs, which can integrate control and protection circuitry, through its CellPac PLUS service available worldwide.[ENDS]