Charlie Miller On Hacked Batteries, Cloud Security, And The iPad

Who Gets Held Accountable For Security?

Alan: What about a Consumer Reports-type third-party to grade companies on their security? Even if I could do a better job than Sony, the guys at Microsoft and Google definitely are better than the average user. The average user isn't going to be able to do what Google did with counter-hacking the Chinese hackers or what Microsoft did with Waledac which combined technical measures with legal/political measures.

Charlie: Yes, this is one of the solutions I recommended during my recent talk at the NATO Cooperative Cyber Defense Centre of Excellence in Estonia. On a high level, something like Underwriters Laboratories. If you buy a toaster, and it has the UL seal on it, you can be sure it won't burn your house down. We need something like that for software where if you see the UL seal, you know it might not be perfect, but it has undergone and passed a certain level of scrutiny. On a technical level, I could imagine something like a private fuzzing test suite that a product would either pass or fail, and the software maker would not be given the failing test cases. In this way they couldn't "train for the test." They'd probably find way more bugs than the private test suite would find, just in the effort to pass the test.

Alan: Say you have secure hardware and secure software. How do we protect against social engineering?

Charlie: People are usually the weakest link in security. Almost all of the exploits I write at least require the user to go to a malicious Web site. That means clicking on a link sent via email, surfing on a public wireless access point, etc. Computers are designed, for the most part, to do things we ask them to. No matter how much security you build into a system, if the user really wants to run a piece of malware they think will show them some naked pictures, they're going to figure out a way to run that program.

Alan: Let’s talk a little bit about the iPad jailbreak. From what I understand, this is another PDF-based exploit. Have you had a chance to look at this?

Charlie: Yes, I've reverse engineered it a bit. The exploit is delivered via a PDF file, but the underlying vulnerability is in how it parses a font that is embedded in the PDF. This "malicious" font could have been delivered in ways besides PDF files. Anyway, it is a very clever exploit. The bug is in this little state machine that is processing the font. The bug allows the attacker to change where the program thinks the end of the buffer where the state machine is operating is located to beyond where it is supposed to be. Then the state machine can operate on parts of memory it is not supposed to while processing the font. This allows it to corrupt memory (to get control of the process) as well as read and operate on values from memory (which allows it to bypass ASLR, allowing it to find some executable code to use). At that point, it reuses the existing code fragments it wants (this technique is called return oriented programming) to launch a second exploit against a different vulnerability to escape the iOS sandbox, get root, disable code signing, and finally jailbreak the phone.

  • Darkerson
    Pretty interesting read. Keep up the good work!
    Reply
  • pepe2907
    Good call, but whoever actualy read the license agreements knows software manufacturers refuse any possible liability for any damages.
    If something is going to change, this should be the first. With these license agreements you can't claim anithing. But this change will not be easy.
    Reply
  • DavC
    interesting read!
    Reply
  • mayankleoboy1
    No matter how much security you build into a system, if the user really wants to run a piece of malware they think will show them some naked pictures, they're going to figure out a way to run that program.

    exactly
    Reply
  • mayankleoboy1
    if only software could be people-proof.
    Reply
  • jacobdrj
    mayankleoboy1if only software could be people-proof."A farmer notices his chickens are getting sick, he calls in a physicist to help him. The physicist takes a good look at the chickens and does some calculations, he suddenly stops and says "Ive got it, but it would only work if the chickens were spherical and in a vacuum."" - Big Bang Theory...
    Reply
  • slicedtoad
    So is it safe to say that as an end user we shouldn't be over concerned about personal computer security?
    Here's my checklist. Don't download unknowns, don't password reuse (for the important stuff anyway), get a decent av (like eset) and keep your computer up to date.
    Multi-layered security on a home pc doesn't make sense, nor does 15 character alpha-numeric passwords (in most cases). No one is going to specifically target you or your pc.
    Reply
  • weaselsmasher
    An awful lot of "people like me" "researchers like me" "guys like me" "me me me me me" there.

    What's this article really about, security or celebrity?
    Reply
  • christop
    Enjoyed this..Wish I had a few 0days sitting around to sell..
    Reply
  • PreferLinux
    pepe2907Good call, but whoever actualy read the license agreements knows software manufacturers refuse any possible liability for any damages.If something is going to change, this should be the first. With these license agreements you can't claim anithing. But this change will not be easy.Yes, but whether that is fully legal or not is another story.
    Reply