Apple Ban Gives Miller Time To Hack Other Things
Charlie Miller reflects on how his NSA chops were a natural progression to Apple hacking, how hard hacking has become -- and his obsession with reality TV shows about stage moms
Charlie Miller wont be exposing any new security holes in Apple products at Black Hat USA this year. Instead, the renowned researcher will show just how dangerous it can be to pay cabfare with your mobile device, as he demonstrates vulnerabilities he discovered in emerging near-field communications (NFC) technology. Miller, 39, is more interested in fresh meat now than hammering away at existing Apple products. Plus, hes still serving the remainder of his one-year ban from Apples App store developer program in the wake of a research app he was able to slip past its vetting process last year, so he cant get a prerelease peek at iOS images to find new bugs in the upcoming iOS 6, anyway. If you told me to look for a [bug in] Safari, that would be so awful. Ive done that so many times. There is no thrill for me now in finding a bug in Webkit. I dont do that for fun anymore ... theres a patch and its gone, Miller says. I like to look at new devices. That doesnt mean he has sworn off Apple-hacking, however. As much as Id like to help secure the new iOS, at present Im not allowed to do so due to the ban by Apple, he says. That said, I still love their products and use them daily, so there is a good chance Ill take a close look at them again in the future. He wont reveal any details on what he found or will demo at Black Hat later this month in Las Vegas, but Miller says he was attracted to NFC because the chip-based technology is so new and hes always on the lookout for ways to compromise mobile phones, like posing as a terminal and forcing the phone to do something. Can I intercept your money or your credit card ... [or] take over your phone because you have this new chip [and] functionality? he says. The downside of his new hacking target, according to Miller, is that NFC is still so new and not yet widely deployed. Im ahead of the curve this time, and thats not really where I want to be, Miller says. The mathematician-turned security researcher got his start in the security business in much the way many of his cohorts have: more by accident than by design. Miller finished school with a PhD in math from Notre Dame and was hired by the National Security Agency (NSA) as a cryptographer. He knew little about data security at the time. I didnt really want to do cryptography. I decided I wanted to do security, says Miller, who wont discuss what he exactly he did for NSA with crypto during his time there. He left NSA after five years when his family began to grow, and they headed back to his hometown of St. Louis, where he, his wife, and two sons, 6 and 8, currently live and Miller has a home office. But Miller had trouble landing a job right away. No one outside NSA knew who the hell I was, he says. His first job post-NSA was at a financial services firm, and his responsibilities included writing security policies and checking password security -- work he admits was pretty awful. You always remember your first bug, and in Millers case, it was two bugs he found in his then-employers Web applications. One allowed you get a channel on their Web server, and another elevated privileges, he recalls. I chained them together to exploit their own Web server and showed it to them. The firms head of development at first didnt understand what exactly Miller had uncovered. He had no idea what I was talking about, Miller says. But I got them to fix it in the end, he says. These days Miller enjoys the freedom of plying his self-taught hacking craft both on the job for clients and also on the side for his own research interests. Miller, who joined Accuvant last year as principal research consultant after several years with Independent Security Evaluators, first made a name for himself in security with his Apple hacking skills, which he says were actually a natural outgrowth of his NSA background. Coming out of NSA, I knew a lot about Linux and not much about Windows. OS X was a natural thing [for me] because its Linux-like enough so I knew how it worked. Then the iPhone came along, and that was basically like OS X as well ... and Linux, so it was a natural place for me to be, he says. He scored big in the Pwn2Own hacking contest starting in 2008, when he was the first to find a major bug in the MacBook Air, and then the next year, in hacking Safari. He was among the contest winners in 2011 as well, with Apple as his target once again. But one of his more notable Apple hacks was outside Pwn2Own. It ended up being his most notorious one after Apple punished him for a stock market ticker app he created and got past Apples app review process and into its App Store last fall. He exploited a flaw in iOS that could let an app run malicious code that ultimately allowed the attacker to silently take over the users device, which he demonstrated in a video and reported to Apple. Apple responded by kicking him out of its developer program for a year. [ Apple is quietly making some subtle, incremental security moves in the face of new threats to its products. See 4 Signs That Apples Sharpening Its Security Game . ] Miller is most proud of the SMS texting bug in the iPhone that he found and then revealed at Black Hat USA in 2009. It was the coolest [of my research] because it didnt require any user interaction. You send a text to take over the phone and theres nothing you can really do to protect yourself. Theres no setting on your phone to stop text messages, and even if you turn off the phone, it sends the attack to you, he says. But hacking isnt the same as when Miller first started out. Vulnerabilities were being dropped publicly in droves, and by all levels of hackers. The evolution in software security over the past few years has made bugs fewer and harder to find -- and exploiting the ones you do find is even harder, Miller says. Its really hard now, he says. It takes me [about] two weeks now to find a bug. You dont see guys like me doing that anymore: Its not worth the time. Exploiting vulnerabilities is more difficult now thanks to anti-exploit technologies, such as sandboxing, he says. Now when a researcher finds vulnerabilities that have exploits, they dont want to give them away for free. Youre giving away a month of your time. Its the sophisticated attackers who are bypassing security that worry Miller. Probably the thing that scares me most is sophisticated attackers still win, he says. Ever since Stuxnet -- oh, man, they did everything right and still got killed. Thats a scary thing. You have all of your security software, isolated networks, everything in place, and someone rolls in with 0days and takes you over ... If they can get on an Iranian nuclear site thats not connected and is fully patched, then no one is safe. Worst day ever at work: I was brought in on-site to see why this companys Web server kept going down. I was there a couple of days and couldnt figure it out -- itd just reboot once in a while. On my way to the airport, I got a call from the CEO, who told me that they figured out one of the members of the IT staff had been pulling the power cord when nobody was looking. Doh! What your co-workers dont know about you that would surprise them: I watch Dance Moms and Toddlers & Tiaras every chance I get. Favorite team: Notre Dame football, of course. Actually, for a computer guy, Im a bit of a sports nut. I once applied for a job at Electronic Arts, and I couldnt convince them I liked sports -- they thought I was lying to get the job. Favorite hangout: I almost never leave my house. I guess my favorite hangout is my home office. Im pathetic. In his music player right now: Some Pete Yorn, various 80s music, and some techno stuff. Millers security must-haves: I always choose usability over security, so I dont really have any security must-haves, but one program I do use is MoxierWallet to manage my passwords. Business hours: 8 a.m. until 4 p.m. every day, and a little at night. I have kids who get up at 6 a.m. whether Im up or not. My best work is really early in the morning. Ride: A silver Toyota Prius: It says Im environmentally friendly and/or a cheapskate. For fun: Soccer, running. Actor who would play him in a film: Bruce Willis is old and bald, but probably too good-looking. Michael Cera is nerdy-looking, but too young. So Im thinking Tony Hale from Arrested Development fame. Next career: Id like to throw my big data skills at something like cancer research. Have a comment on this story? Please click Add Your Comment below. If youd like to contact Dark Readings editors directly, send us a message .
Tags:
Apple Ban Gives Miller Time To Hack Other Things