The conventional wisdom is that iPhones and iPads don't have security problems, and it's largely true. Although Apple is mostly responsible for this, we also have Charlie Miller to thank.
There is an industry of computer security research in which experts look for weaknesses in the products we all use. Some of them are more ethical than others in their use of research results, but it's generally accepted that this research has made us all safer by forcing vendors to take security more seriously and forcing users to be more concerned about it.
In the world of Apple security research, and of iOS in particular, the leading expert is Miller, Accuvant Labs's principal research consultant. Miller is a computer security expert with specialties in vulnerability analysis, including using fuzzing to find software vulnerabilities.
After working for five years for the National Security Agency, Miller became famous in security circles for finding serious vulnerabilities in Apple products, perhaps the most stunning of which was an SMS processing bug that allowed attackers to compromise iPhones by sending them SMS text messages. He is a co-author of The Mac Hacker's Handbook and, just released this month, iOS Hacker's Handbook.
We asked Miller what makes him tick and what the state of security is.
BYTE: What motivates you and why are you interested in security issues? How did you get into it?
CM: I do it because it is challenging and at its nature adversarial. I can't play against professional football players, but I can match wits with some very smart engineers who build products and try to make them secure. I guess it is something that I always thought looked cool and exciting. I sort of got lucky because I was hired at the NSA to be a cryptographer (my background is in mathematics) but once there you can kind of do whatever you want and so I started learning about computer security and by the time I left was pretty good at it.
BYTE: What is the biggest security problem for mobile computing today? What is the biggest problem that is being overlooked?
CM: Despite the influx of mobile malware and targeted attacks, the biggest security problem for mobile devices is still losing it. You're way more likely to leave your phone at a bar or in the back seat of a cab than to be attacked today. The good news is there are some simple steps to take to make the impact of this loss very small, such as using a strong passcode and configuring remote wipe.
BYTE: What inspired you to start hacking Apple products? Which of your hacks worried you the most or was most surprising? Can you tell a story about what it was like to reveal the vulnerabilities?
CM: I left the NSA in 2005 and started consulting in 2006. I had never owned an Apple product before then, but the company I worked for, Independent Security Evaluators, required us all to have them. I was really more of a Linux guy at that time and could write a mean Linux exploit. At a low level there are a lot of similarities between OS X and Linux and so it was a pretty easy transition once I figured out how to use the OS. I remember calling a coworker and asking where the heck the Safari binary was!
CM: A lot of my fame came from hacking Apple products. I focused on them for a few reasons. One was that there were not too many other people looking at it so there wasn't much competition. Also, back then, partly for the same reason, Apple products were way less secure than, say, a Windows desktop. Nobody had really ever looked for bugs in them so there were a lot there and also Apple products didn't have built-in defenses like ASLR or DEP. So basically, it was easy, nobody else was doing it, I liked Apple products, and people got all excited by it for some reason.
CM: Probably the coolest bug I found was in the SMS stack of iPhones back in 2008 or 2009. You could send a bunch of text messages to a device and take control of it. This was cool because there was really nothing a user could do to stop you. Even if they turned off their phone, the carrier would queue up the attack and send it as soon as they turned it back on.
CM: As for disclosure, I only really disclose bugs that I find that I plan to talk about at conferences. In those cases I try to give plenty of time for vendors to have a fix ready before I talk about it. Otherwise, I don't report a lot of bugs because it's a hassle and I don't like to work for free. It doesn't seem fair that my consulting clients pay a lot of money for me to find bugs in their products while I'm expected to report bugs for free that I find in my own time.
Does Apple need to adopt a more regular and transparent update policy like Microsoft's? Larry Seltzer thinks it might be time for iPatch Tuesday..
BYTE: If someone wanted to attack iOS, what are the major weak spots he should target?
CM: iOS is pretty good. Between the reduced attack surface and the exploit mitigations, it is a pretty tough target. I'm not sure where I'd start, but if you look back a year or two you can see what I thought. For Pwn2Own 2011 I looked at how the iOS Web browser will natively parse Microsoft Office files. I figured if MS can't get that right in Office and that's all it does, there is no way MobileSafari is going to do it right!
BYTE: How long can Apple continue to be successful using its locked-down store to keep threats out?
CM: I think it is a really smart way to go and I don't see any reason they would need to stop. Obviously if you look at my codesigning attack last year this approach isn't perfect, but if you compare the amount of Android malware vs. iOS malware it is hard to argue that Apple's approach hasn't been successful.
BYTE: Is the locked-down store the wave of the future? Is it coming to the Mac, to Windows?
CM: Yes, there are rumors that it will show up on both of these platforms very soon. I think the best approach is to ship products with "white listed apps" or codesigning or however this model is implemented enabled. But users should be given a button they can push which turns it off. I'd like iOS a lot better if Apple shipped it with a "jailbreak" button with lots of warning enabled if you pressed it versus having to wait to update until the next jailbreak is released. I see a day in the next year or so where there is no jailbreak available for iOS devices. This will really make life difficult for many users.
BYTE: How much of a problem is it really for Apple that vulnerabilities in Webkit (the browser engine used in Safari and many third-party browsers including Google Chrome) are patched in an uncoordinated manner?
CM: It's an issue for sure. Between Chrome, Safari, MobileSafari, and Android (plus many others) it is hard to coordinate the release of patches in Webkit. Hell, Apple hasn't even figured out how to do it between just Safari and MobileSafari. The problem is that as soon as you patch one, it is pretty easy to figure out what the vulnerability is and exploit the others. Luckily, the security industry has slowly been making the adjustment away from "finding all the bugs" to "making exploitation harder" and so it may still take quite a bit of time, depending on the vulnerability, to make an exploit. This may mean that the other Webkit-based programs have enough time to patch even if the coordination isn't perfect.
BYTE: What made you want to write your new book?
CM: Part of the reason I try to give a lot of talks at conferences is to share what I know about topics. The bad guys are great at sharing knowledge and techniques and so if we can't do it we're going to be at a big disadvantage. Also, as an iOS device user, it benefits me to have the device as secure as possible and part of that is having lots of researchers constantly trying to pick it apart. I'm hoping this book will help researchers get interested in the topic as well as help them get up to speed. There is very little that I know about iOS that is not in the book and so I'm hoping to see a lot of young researchers finding and reporting iOS vulnerabilities (or writing jailbreaks for it) because of the book. I definitely saw an uptick in interest in Mac OS X after the publication of the Mac Hacker's Handbook and hopefully the same will be true here.
BYTE: What kind of family did you grow up in? Where are you from?
CM: I grew up in a blue-collar family in St. Louis, Mo., where I still live. I was only the second kid from my whole (large) extended family to ever go to college and still the only one to get an advanced degree. When I was little I taught myself how to program in BASIC on an Atari 400 and then on a Commodore 64. My family was supportive enough to get me these computers but couldn't do much beyond that. Luckily, I was able to go all the way through to get my PhD entirely on scholarship and as a teaching assistant.
CM: To this day, I think the only formal computer science classes I've taken were CS 100 and a graduate-level artificial intelligence class. That is one of the cool things about computer security, it doesn't matter if you have a fancy degree, if you can do the work, you can do the work--or as they say, skill knows skill when it comes to computer security.