05:40 PM
Connect Directly

Apple 'Ban' Gives Miller Time To Hack Other Things

Charlie Miller reflects on how his NSA chops were a natural progression to Apple hacking, how hard hacking has become -- and his obsession with reality TV shows about stage moms

Charlie Miller won't be exposing any new security holes in Apple products at Black Hat USA this year. Instead, the renowned researcher will show just how dangerous it can be to pay cabfare with your mobile device, as he demonstrates vulnerabilities he discovered in emerging near-field communications (NFC) technology.

Click here for more of Dark Reading's Black Hat articles.

Miller, 39, is more interested in fresh meat now than hammering away at existing Apple products. Plus, he's still serving the remainder of his one-year ban from Apple's App store developer program in the wake of a research app he was able to slip past its vetting process last year, so he can't get a prerelease peek at iOS images to find new bugs in the upcoming iOS 6, anyway. "If you told me to look for a [bug in] Safari, that would be so awful. I've done that so many times. There is no thrill for me now in finding a bug in Webkit. I don't do that for fun anymore ... there's a patch and it's gone," Miller says. "I like to look at new devices."

Charlie MillerThat doesn't mean he has sworn off Apple-hacking, however. "As much as I'd like to help secure the new iOS, at present I'm not allowed to do so" due to the ban by Apple, he says. "That said, I still love their products and use them daily, so there is a good chance I'll take a close look at them again in the future."

He won't reveal any details on what he found or will demo at Black Hat later this month in Las Vegas, but Miller says he was attracted to NFC because the chip-based technology is so new and he's always on the lookout for ways to compromise mobile phones, like posing as a terminal and forcing the phone to do something. "Can I intercept your money or your credit card ... [or] take over your phone because you have this new chip [and] functionality?" he says.

The downside of his new hacking target, according to Miller, is that NFC is still so new and not yet widely deployed. "I'm ahead of the curve this time, and that's not really where I want to be," Miller says.

The mathematician-turned security researcher got his start in the security business in much the way many of his cohorts have: more by accident than by design. Miller finished school with a PhD in math from Notre Dame and was hired by the National Security Agency (NSA) as a cryptographer. He knew little about data security at the time. "I didn't really want to do cryptography. I decided I wanted to do security," says Miller, who won't discuss what he exactly he did for NSA with crypto during his time there.

He left NSA after five years when his family began to grow, and they headed back to his hometown of St. Louis, where he, his wife, and two sons, 6 and 8, currently live and Miller has a home office. But Miller had trouble landing a job right away. "No one outside NSA knew who the hell I was," he says. His first job post-NSA was at a financial services firm, and his responsibilities included writing security policies and checking password security -- work he admits was "pretty awful."

You always remember your first bug, and in Miller's case, it was two bugs he found in his then-employer's Web applications. "One allowed you get a channel on their Web server, and another elevated privileges," he recalls. "I chained them together to exploit their own Web server and showed it to them."

The firm's head of development at first didn't understand what exactly Miller had uncovered. "He had no idea what I was talking about," Miller says. "But I got them to fix it" in the end, he says.

These days Miller enjoys the freedom of plying his self-taught hacking craft both on the job for clients and also on the side for his own research interests. Miller, who joined Accuvant last year as principal research consultant after several years with Independent Security Evaluators, first made a name for himself in security with his Apple hacking skills, which he says were actually a natural outgrowth of his NSA background. "Coming out of NSA, I knew a lot about Linux and not much about Windows. OS X was a natural thing [for me] because it's Linux-like enough so I knew how it worked. Then the iPhone came along, and that was basically like OS X as well ... and Linux, so it was a natural place for me to be," he says.

He scored big in the Pwn2Own hacking contest starting in 2008, when he was the first to find a major bug in the MacBook Air, and then the next year, in hacking Safari. He was among the contest winners in 2011 as well, with Apple as his target once again. But one of his more notable Apple hacks was outside Pwn2Own. It ended up being his most notorious one after Apple punished him for a stock market ticker app he created and got past Apple's app review process and into its App Store last fall. He exploited a flaw in iOS that could let an app run malicious code that ultimately allowed the attacker to silently take over the user's device, which he demonstrated in a video and reported to Apple. Apple responded by kicking him out of its developer program for a year.

[ Apple is quietly making some subtle, incremental security moves in the face of new threats to its products. See 4 Signs That Apple's Sharpening Its Security Game. ]

Miller is most proud of the SMS texting bug in the iPhone that he found and then revealed at Black Hat USA in 2009. "It was the coolest [of my research] because it didn't require any user interaction. You send a text to take over the phone and there's nothing you can really do to protect yourself. There's no setting on your phone to stop text messages, and even if you turn off the phone, it sends the attack to you," he says.

But hacking isn't the same as when Miller first started out. Vulnerabilities were being dropped publicly in droves, and by all levels of hackers. The evolution in software security over the past few years has made bugs fewer and harder to find -- and exploiting the ones you do find is even harder, Miller says. "It's really hard" now, he says. "It takes me [about] two weeks now to find a bug. You don't see guys like me doing that anymore: It's not worth the time."

Exploiting vulnerabilities is more difficult now thanks to anti-exploit technologies, such as sandboxing, he says. "Now when a researcher finds vulnerabilities that have exploits, they don't want to give them away for free. You're giving away a month of your time."

It's the sophisticated attackers who are bypassing security that worry Miller. "Probably the thing that scares me most is sophisticated attackers still win," he says. "Ever since Stuxnet -- oh, man, they did everything right and still got killed. That's a scary thing. You have all of your security software, isolated networks, everything in place, and someone rolls in with 0days and takes you over ... If they can get on an Iranian nuclear site that's not connected and is fully patched, then no one is safe."

Personality Bytes

  • Worst day ever at work: I was brought in on-site to see why this company's Web server kept going down. I was there a couple of days and couldn't figure it out -- it'd just reboot once in a while. On my way to the airport, I got a call from the CEO, who told me that they figured out one of the members of the IT staff had been pulling the power cord when nobody was looking. Doh!
  • What your co-workers don't know about you that would surprise them: I watch "Dance Moms" and "Toddlers & Tiaras" every chance I get.
  • Favorite team: Notre Dame football, of course. Actually, for a computer guy, I'm a bit of a sports nut. I once applied for a job at Electronic Arts, and I couldn't convince them I liked sports -- they thought I was lying to get the job.
  • Favorite hangout: I almost never leave my house. I guess my favorite hangout is my home office. I'm pathetic.
  • In his music player right now: Some Pete Yorn, various '80s music, and some techno stuff.
  • Miller's security must-haves: I always choose usability over security, so I don't really have any security must-haves, but one program I do use is MoxierWallet to manage my passwords.
  • Business hours: 8 a.m. until 4 p.m. every day, and a little at night. I have kids who get up at 6 a.m. whether I'm up or not. My best work is really early in the morning.
  • Ride: A silver Toyota Prius: It says I'm environmentally friendly and/or a cheapskate.
  • For fun: Soccer, running.
  • Actor who would play him in a film: Bruce Willis is old and bald, but probably too good-looking. Michael Cera is nerdy-looking, but too young. So I'm thinking Tony Hale from "Arrested Development" fame.
  • Next career: I'd like to throw my big data skills at something like cancer research.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
7/11/2012 | 2:57:45 PM
re: Apple 'Ban' Gives Miller Time To Hack Other Things
I still can't believe Apple banned him like that. It's a classic example of how they seem to approach security: shoot the bearer of bad tidings, stick your fingers in your ears and scream "LALALA" and then tell all the fanboys that everything is swell.
Register for Dark Reading Newsletters
White Papers
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-01-23
The Pie Register plugin before 2.0.14 for WordPress does not properly restrict access to certain functions in pie-register.php, which allows remote attackers to (1) add a user by uploading a crafted CSV file or (2) activate a user account via a verifyit action.

Published: 2015-01-23
OpenStack Glance 2014.2.x through 2014.2.1, 2014.1.3, and earlier allows remote authenticated users to bypass the storage quote and cause a denial of service (disk consumption) by deleting an image in the saving state.

Published: 2015-01-23
oggenc in vorbis-tools 1.4.0 allows remote attackers to cause a denial of service (divide-by-zero error and crash) via a WAV file with the number of channels set to zero.

Published: 2015-01-23
Integer overflow in oggenc in vorbis-tools 1.4.0 allows remote attackers to cause a denial of service (crash) via a crafted number of channels in a WAV file, which triggers an out-of-bounds memory access.

Published: 2015-01-23
oggenc/oggenc.c in vorbis-tools 1.4.0 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted raw file.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
If you’re a security professional, you’ve probably been asked many questions about the December attack on Sony. On Jan. 21 at 1pm eastern, you can join a special, one-hour Dark Reading Radio discussion devoted to the Sony hack and the issues that may arise from it.