Sign in with
Sign up | Sign in

Charlie Miller On Hacked Batteries, Cloud Security, And The iPad

Charlie Miller On Hacked Batteries, Cloud Security, And The iPad
By

Accuvant Labs' Charlie Miller talks to Tom's Hardware about the Defender's Dilemma, the security of data in the cloud, looking for vulnerabilities in notebook batteries, and the ramifications of using Apple's iPad in an enterprise environment.

If you're not already familiar with Charlie Miller, check out Behind Pwn2Own: Exclusive Interview With Charlie Miller and Hacking The iPhone, iPod, And iPad With A Web Page, two of our previous interviews with him.

Alan: Hi Charlie, thanks again for taking the time to sit down and talk with me and the readers of Tom’s Hardware. I know how busy it gets around Black Hat.

Charlie: Yep, between my "day job" doing consulting and writing slides and finishing research, this is my second busiest time of the year. The only worse time is right before Pwn2Own! I can't wait until Black Hat and DEF CON are finished to relax and start some new research.

Alan: A lot has changed since the last time we chatted. The impact and critical importance of computing security has really just begun to be appreciated by mainstream users. The New York Times had a great feature on the development of Stuxnet and detailed how the good guys undermined and crippled Iran’s nuclear program. We’ve seen the bad guys attack Lockheed Martin through a targeted effort that began with compromising RSA SecurID. Lastly, we’ve seen end-users directly impacted by the actions of groups like Anonymous and LulzSec. It’s the good, the bad, and the ugly.

So for today, I’m hoping I can get your thoughts on some big-picture stuff before I pick your brain on the new iOS jailbreak and the battery firmware vulnerability.

Charlie: Well, who the bad guys and who the good guys are can be a bit hard to determine sometimes. I'm sure the Iranians don't consider Stuxnet to be a force for good. But yes, let's talk about the big picture.  

Alan: Well, I know I'm a good guy, and you're a good guy. People can trust us. We're doctors. Anyway, after the Brighton Bombing in ’84, the IRA released a statement that included the line "...remember we only have to be lucky once. You have to be lucky always." When it comes to computing security, it seems like it’s the same challenge. Only in this case, it’s even worse. The bad guys are coming from multiple fronts. You have targeted attacks, automated botnets, and broad social engineering spam. You also have different motives ranging from espionage and financial or political gain to activists looking to make a statement. While there was a political process that could bring peace to the United Kingdom, you’re not going to be able to negotiate with someone looking to steal credit card info or sensitive data.

Can we actually win this war or are we just hoping to minimize our losses?

Charlie: Yes, we call it the Defender's Dilemma. Defense is always harder because you have to be perfect, where attackers only have to find one flaw. This is why it’s so much more fun to attack Apple than to work for Apple!

I have to say, things are a bit bleak when you put it that way. There will always be vulnerabilities and there will always be criminals, so it’s hard to figure the way out. Especially as end users there is almost nothing you can do; you have to rely on the security of the software you run and have little control over how secure it is. As a society, we cannot eliminate computer attacks. However, what we can do (and this is the approach the industry is sort of taking) is make it so hard and expensive to pull off attacks that it becomes economically infeasible for most attackers. And even for those with the expertise to still pull off the attack, it minimizes the number of attacks they can perform. The way we make it more difficult is to reduce the number of vulnerabilities and ensure users’ software is up to date and "secure by default”. Also, make the OS resilient to attack with things like stack canaries, ASLR, DEP, and sandbox applications so that multiple exploits are needed. We also need to better control the software loaded on our devices (i.e. Apple's App Store model). So, instead of having to write a single exploit, it takes three or four in order to perform an attack. This means most attackers won't be able to pull it off, and those who can will have to spend much more time working it out.

Display 16 Comments.
This thread is closed for comments
  • 0 Hide
    Darkerson , August 2, 2011 4:38 AM
    Pretty interesting read. Keep up the good work!
  • 2 Hide
    pepe2907 , August 2, 2011 5:53 AM
    Good call, but whoever actualy read the license agreements knows software manufacturers refuse any possible liability for any damages.
    If something is going to change, this should be the first. With these license agreements you can't claim anithing. But this change will not be easy.
  • 0 Hide
    DavC , August 2, 2011 7:53 AM
    interesting read!
  • 0 Hide
    mayankleoboy1 , August 2, 2011 3:34 PM
    Quote:
    No matter how much security you build into a system, if the user really wants to run a piece of malware they think will show them some naked pictures, they're going to figure out a way to run that program.


    exactly
  • 1 Hide
    mayankleoboy1 , August 2, 2011 3:40 PM
    if only software could be people-proof.
  • 2 Hide
    jacobdrj , August 2, 2011 5:05 PM
    mayankleoboy1if only software could be people-proof.

    "A farmer notices his chickens are getting sick, he calls in a physicist to help him. The physicist takes a good look at the chickens and does some calculations, he suddenly stops and says "Ive got it, but it would only work if the chickens were spherical and in a vacuum."" - Big Bang Theory...
  • -1 Hide
    slicedtoad , August 2, 2011 5:46 PM
    So is it safe to say that as an end user we shouldn't be over concerned about personal computer security?
    Here's my checklist. Don't download unknowns, don't password reuse (for the important stuff anyway), get a decent av (like eset) and keep your computer up to date.
    Multi-layered security on a home pc doesn't make sense, nor does 15 character alpha-numeric passwords (in most cases). No one is going to specifically target you or your pc.
  • -5 Hide
    weaselsmasher , August 2, 2011 6:17 PM
    An awful lot of "people like me" "researchers like me" "guys like me" "me me me me me" there.

    What's this article really about, security or celebrity?
  • -3 Hide
    christop , August 2, 2011 7:20 PM
    Enjoyed this..Wish I had a few 0days sitting around to sell..
  • 0 Hide
    PreferLinux , August 2, 2011 9:25 PM
    pepe2907Good call, but whoever actualy read the license agreements knows software manufacturers refuse any possible liability for any damages.If something is going to change, this should be the first. With these license agreements you can't claim anithing. But this change will not be easy.

    Yes, but whether that is fully legal or not is another story.
  • 4 Hide
    cangelini , August 3, 2011 1:54 AM
    weaselsmasherAn awful lot of "people like me" "researchers like me" "guys like me" "me me me me me" there.What's this article really about, security or celebrity?


    I'm inclined to answer "security" and a guy who knows an awful lot about it ;-)
  • 3 Hide
    AlanDang , August 3, 2011 2:28 AM
    weaselsmasherAn awful lot of "people like me" "researchers like me" "guys like me" "me me me me me" there.What's this article really about, security or celebrity?


    Nothing wrong with both, right? The people I invite to interview are people who do a good job of explaining complex technical things in a straightforward manner. At some point though, if you get to keynote an international NATO conference on cyber security, you deserve a little bit of bragging rights. But truthfully, Charlie is still a normal, down-to-earth-guy when doing an interview... and that's a win for everyone. You guys get access to cool content that's rarely discussed at other websites, and it's not too boring to read... and it's free. I can tell you it's way more fun talking with engineers as opposed to PR people...
  • 0 Hide
    Anonymous , August 3, 2011 4:29 PM
    @Alan Dang, you wrote: "But it seems like in today's world, the end-user is playing a less important role. The end-user with the latest software updates who is also savvy to social engineering cannot protect himself against hackers who steal credit card data from Sony."
    This is incorrect: many banks sell "virtual" credit cards services: these CC number work only for one purchase, so users *can* protect themselves.
    But the sad part in this case is that it's the security conscious users who pay the cost of the protection against hackers, not Sony and the other stupid companies storing credit card numbers on unsecured servers..
  • 0 Hide
    dndhatcher , August 3, 2011 10:29 PM
    The article is very interesting. I tried to listen to the keynote and my eyes glazed over. He's obviously got expertise with the subject matter, but could use some presentation training before he starts on the lecture circuit.

  • 0 Hide
    slicedtoad , August 4, 2011 12:53 AM
    @dndhatcher
    really? i delayed watching it for a while cause it was long but damn was it interesting. He certainly isn't in PR but he's not bad at speaking. Certainly better than mr. facebook.
  • 0 Hide
    Anonymous , August 10, 2011 10:01 AM
    Battery as an attack vector is at least (almost) as old as the original PSP. One way to install custom firmware to it is to modify the battery. Search for "pandoras battery" if you want to know more.