Charlie A. Miller loves his Macbook Pro laptop. And his four other Apple PCs, the iPhone he uses daily and two older iPhones he keeps for tinkering. But his relationship with the company that created those gadgets is somewhat more complicated.
In March, for instance, the 36-year-old security researcher publicized his discovery of 20 security vulnerabilities in Apple’s software. Each would allow a cybercriminal to take over the computer of a user who’s tricked into opening a certain PDF attachment or who simply visits an infected Web page using Apple’s Safari browser.
That haul of security bugs is a record even for Miller, who over the last four years has become perhaps the world’s most prominent Mac hacker. It may also be the most definitive proof yet that Apple devices aren’t safe “right out of the box,” as the company has claimed for years. “When I first began saying that Macs were less secure than Windows, everyone thought I was an idiot,” says Miller. “So I had to prove it again and again and again.”
In 2007 Miller became the first to hack the iPhone, using a flaw in its Safari browser to remotely gain control of the no-so-smart phone. Six months later he hacked a Macbook Air in two minutes at a competition in Vancouver. Last summer he revealed a method that allowed him to virally hijack the iPhone using text messages spread via a user’s contact list.
Miller says his latest research doesn’t aim to show off his elite hacking skills, most of which he learned over five years as a global network exploitation analyst for the National Security Agency. Instead, he wants to show just how easy it is to find chinks in the armor of commonly used software. Miller used a technique known as “dumb fuzzing” to find flaws in PDF and PowerPoint programs. With a simple five-line algorithm, he repeatedly changed one bit of a file at random and checked to see if the file crashed an application, automatically tweaking and testing again and again. He ran the procedure more persistently than most hackers, leaving his fuzzing program to throw junk information at each target for three weeks before mining the data for exploitable flaws.
The results don’t look good for Apple: 20 bugs in its Preview application–all of which apply to Safari as well–compared with only 3 or 4 each in Adobe Reader and Microsoft’s PowerPoint. “It’s shocking that Apple didn’t do this first,” says Miller. “The only skill I’ve used here is patience.”
Apple didn’t respond to requests for comment. The company’s defenders have long insisted that even if their devices are less secure, they’re still safer than other PCs. The reasoning: Cybercriminals don’t bother to target Macs because their 8% U.S. market share is too low to make them profitable targets.
Still, Macs are being hacked. The risk of targeted cyberespionage attacks aimed at stealing patents, source code or other highly specific data means that market share is only part of the equation. Adriel Desautels, the chief executive of cybersecurity firm Snosoft, buys and sells software-vulnerability data in a growing gray market and says the demand for critical Apple bugs has steadily increased. He’s now willing to spend anywhere from $15,000 to $115,000 on information about the right Mac security flaw. Desautels declines to reveal much about his customers but says he screens them to avoid selling vulnerability data to cybercriminals. “In some cases [our buyers] explicitly ask for certain kinds of Mac bugs.”
Miller has sold bugs, too. In 2005, after he left the NSA, he pawned a Linux vulnerability to a government agency for $50,000. “It’s safe to say that when someone pays that much for a bug, they’re not going to tell the vendor to patch it,” he says. In recent years he has stuck with pro bono public research, which he argues makes software more secure.
Miller joined a Baltimore company called Independent Security Evaluators in 2007, and his contract hasn’t allowed him to sell bugs independently. The 12-person company pulls in $2.5 million a year testing the security of custom-made software. So Miller says his focus has shifted to hacking whatever he likes to use and “whatever gets people ticked off.”
As for Apple, Miller says the company has learned to accept, if not appreciate, his work. He usually gives Apple weeks of notice before publicly describing its bugs. “They’re always very polite,” he says. “But I suspect they wish I didn’t exist.”
Andy Greenberg, Forbes Magazine