iPhone app iPad app Android phone app Android tablet app More

Gerry Smith
Gerald.Smith@huffingtonpost.com Become a fan of this reporter
GET UPDATES FROM Gerry
 

Apple Punishes Researcher Charlie Miller For Finding Potential Security Flaw

Apple Charlie Miller

First Posted: 11/08/11 05:48 PM ET Updated: 11/08/11 08:06 PM ET

Inspiring
 Funny
 Obsolete
 Scary
 Must-Have
 Amazing
 Innovative
 Nerdy

In the cybersecurity world, most hackers fall into two categories. "Black hats" exploit flaws to cause chaos. "White hats" report flaws so they can be fixed.

Charlie Miller considers himself a white hat. A former security researcher for the National Security Agency, Miller has become famous in security circles for finding bugs in popular Apple products that could be exploited by hackers for malicious purposes.

But Apple said that while Miller was researching his latest discovery, he went too far.

He developed an application that he believed could download malware onto iPhones and iPads. To prove this, he disguised his app as a stock ticker program and got it approved for distribution in Apple's App Store.

Instead of thanking Miller for his work, Apple revoked his app developer license on Monday, saying it violated the developer agreement that forbid him to "hide, misrepresent or obscure" his app. He was also suspended for one year from Apple's developer program.

Miller said he was trying to demonstrate a flaw in Apple's process for reviewing new apps. If he hadn't introduced the app to the App store, no one would have believed that Apple would accept an app that could infect mobile devices, he said. Miller added that Apple overreacted.

"I'm helping them in many ways," Miller told the Huffington Post. "What they'e doing is making it harder for me to do that. I think it's an overreaction. No one was hurt by anything I did."

Apple did not return a request for comment.

Apple's decision to reprimand Miller comes after the company has tried to build closer relationships with security researchers. Before releasing its latest operating system, Lion OS X, this year, Apple invited security researchers to probe the system for flaws.

Some researchers say were surprised by Apple's decision to punish Miller after making the effort to work with security researchers.

"It doesn't make sense to me," said Roel Schouwenberg, a security researcher at Kaspersky Labs. "Apple has tried to reach out to the security community. This move seems really counterproductive."

Not everyone thinks Miller took the right approach, however.

Jonathan Zdziarski, an author of several books about iPhone software development, said he respects Miller's research but believes he should not have released his application in the App Store.

Zdziarski said Miller could have proved his point while making his app unavailable for download or by pulling his app from the store immediately after it was approved, "rather than give the some 100 million iOS users a chance to download and install this malware." Zdziarski said a hacker with bad intentions could have hijacked Miller's app to attack iPhone and iPad users.

"By allowing the application to remain in the App Store, Miller's good word is the only thing separating him from a common criminal, from Apple's perspective at least," Zdziarski said in an email.

In the last four years, Miller said he has reported more than 10 bugs to Apple. In July, Miller claimed to have found a new security flaw in Apple laptops that could allow hackers to ruin laptop batteries, infect them with malware or potentially cause them to overheat and catch fire. In 2009, he found a bug that allowed hackers to take control of an iPhone with a text-messaging attack. Apple seemed to appreciate his work, he said.

Miller's latest finding was notable because it involved Apple's iOS platform, which is considered to be more secure than mobile phones that run on Google's Android operating system. In June, the security firm Symantec said that Google's model for vetting apps on Android devices was "less rigorous and consequently, less secure" than Apple's iOS platform.

Miller, now a research consultant at Accuvant Labs, said he contacted Apple three weeks ago about the vulnerability, but did not tell the company about his disguised app, which had been available in the App Store since September. Miller said Apple has since removed his app, but that his findings exposed a weakness in Apple's App Store.

"Until they fix this flaw," Miller said, "you can't trust the App Store."

FOLLOW HUFFPOST TECH

In the cybersecurity world, most hackers fall into two categories. "Black hats" exploit flaws to cause chaos. "White hats" report flaws so they can be fixed. Charlie Miller considers himself a whi...
In the cybersecurity world, most hackers fall into two categories. "Black hats" exploit flaws to cause chaos. "White hats" report flaws so they can be fixed. Charlie Miller considers himself a whi...
 
 
  • Comments
  • 223
  • Pending Comments
  • 0
  • View FAQ
Comments are closed for this entry
View All
Favorites
Recency  | 
Popularity
Page: 1 2 3 4 5  Next ›  Last »  (6 total)
photo
HUFFPOST SUPER USER
5pliff5tar
93 Fans
 
03:58 AM on 11/11/2011
"no app developer license for you! Come back 1 year!"
Permalink  |
photo
HUFFPOST SUPER USER
cocoislerealty
34 Fans
03:26 AM on 11/11/2011
(A) "Until they fix this flaw," Miller said, "you can't trust the App Store."
====================================================
It's hard to believe the way political correctness hurts this country & nonsense is accepted for rationality--& that Apple is getting bad press for this.

This is like Capt. Rusk, the self-styled security specialist from Iowa, making a deal w/Muhammed Khalik, a local Afghan w/questionable loyalty, to walk thru a "drill" and rush the Marine camp's spent ammo dump precisely at noon on Thursday. It's a crafty plan w/many consequences. He knows his romantic rival, Sgt. Savage of Des Moines, kicks back on shift change for 5 minutes each Thursday at the dump's cool rocky crag, and records a lovey-dovey microcassette for the mail run on Fridays--while his buddy Cpl. Dawson doubles down on the watch for a few. Rather than just busting Savage for a breach, Rusk sets him up.
Permalink  |
photo
HUFFPOST SUPER USER
cocoislerealty
34 Fans
03:22 AM on 11/11/2011
(B) At breakfast, he comments to Savage "looks good, been quiet lately" to encourage no change in routine. According to plan, Khalik & two men seize the dump, take Savage & the corporal hostage, and the Afghan puts his rifle to Savage's head--just as the Captain happens to show up w/the local Colonel for a "surprise" spot check. Capt. Rusk, the ready hero, motions to Khalik "OK, Khalik, we're done, we've made our point! You can put the AK down." Khalik has something else in mind and w/a big smile says "What do you mean "We"-- and points it at the Colonel. Fortunately, Savage & the Corporal know what they are doing and, still armed, mow the locals down.

Three months later, Capt. Rusk is still scratching his head at his Court Martial, and the judge asks Rusk if there wasn't "a better way?" Rusk snaps to attention and salutes, "SIR, It couldn't have happened that way if I hadn't setup it that way, SIR!" Rusk is discharged from the Corps, never understanding what he did, and still ranting as he is carried to the van in wonder that his skill was not appreciated: "It just doesn't make sense to me, the Marines wanted me to improve security, and I did. Talk about counterproductive! You know that if I can break in, anyone can--you just can't trust the Marine Corps anymore! Semper Fi!"
PS: Happy Birthday USMC!
Permalink  |
jimmy1965
15 Fans
10:00 PM on 11/10/2011
lets be honest here. steve jobs was a brilliant man and the world could have only gotten better if he was still around. now.FACT.over 90% of all apple products are made in another country.so much for made in america from an american billionare. FACT.apple sits on last count on his death 29 billion dollars in profits sitting in the bank. FACT apple never lowers its prices which would allow alot of people to own and discover apple, dosent that make good business sense. so it if you dont like there prices, to bad. apple is free to do what they want but i and alot of others are not buying into there greed. and as of the last 2 days there stock is falling because of low sales world wide, and the reason, because other companies are dropping there prices.
Permalink  |
photo
HUFFPOST SUPER USER
cocoislerealty
34 Fans
03:26 AM on 11/11/2011
Very well put, outstanding that someone came out and said what I was thinking without me even realizing I had these thoughts about Apple, whom I dont use. Never did like that Jobs guy though, maybe this is part of the reason why.
Permalink  |
photo
PenguinLinux
got root ?
157 Fans
11:49 AM on 11/10/2011
1) Hackers do not follow rules. Yes, Charlie broke the agreement, but so would any hacker.

2) He harmed Apple's ego and business by perhaps damaging customer faith and trust in Apple and their products, but he did not harm their customers.

3) Linux uses a centralized repository which is heavily monitored and secured through policies and procedures in an open community. This contrasts Apple's "Walled Garden" approach. (for more on this subject, read Eric S. Raymond's "The Cathedral and the Bazaar".
Permalink  |
photo
HUFFPOST SUPER USER
cocoislerealty
34 Fans
03:33 AM on 11/11/2011
He put his employer, who it sounds that he had an Independent Contract with, at risk, unnecessarily and if you want to talk about ego it was as much Charlie's since the risk was not eliminated, he spun the roulette game where the stakes were he could win but not lose, unless the supposed benefactors took an affront, which they correctly did.
Permalink  |
HUFFPOST SUPER USER
Draekia
Open-minded thinker and traveller
49 Fans
04:23 AM on 11/10/2011
So he created and published malware and left it up for months before telling Apple? I think they had good reason to punish him. As for a whole year? Maybe a bit excessive, but he could have been more forthright about what he did quickly after posting it in the store.

I know, I know, Apple is evil, but seriously kids, think about the way he went about this. Talk about violating the terms of the agreement he signed.
Permalink  |
photo
HUFFPOST SUPER USER
No Yards
I never said most of the things I said.
112 Fans
08:02 AM on 11/10/2011
You mean there was malware in the AppStore for months and Apple wasn't aware of it until the author told there?

Then the story is not that they punished the author of the app, the story is that Apple's policy of developer registration has no effect on preventing malware (a real hacker can easily use stolen identity to register as a developer) and that Apple's app review process is a joke.

For all we know there could be 1000's of malware apps in the appstore, the developers may have used stolen identities to register, but as we clearly see, as long as they don't tell Apple about their malware then Apple is not likely to find it on their own.

Apple once again has punked their iSheep into believing that their secrecy and closedness is in the best interests of the consumer ... when in truth there is no real way to properly review 500,000+ applications for security flaws and exploits. That's not necessarily Apple's "fault", but trying to spin that problem, and their lack of ability to address the problem, by hiding the process in a shroud of secrecy and pretending that problem doesn't exist, certainly is Apple's fault.
Permalink  |
HUFFPOST SUPER USER
Draekia
Open-minded thinker and traveller
49 Fans
08:35 AM on 11/10/2011
I agree entirely in your last bit, there.

As for the review process having NO effect, until we see such exploits regularly used, your point is pure biased (obviously by your phrasing) conjecture, I'm afraid.

From the lack of such identity theft occurring, so far one could only really assume that it is having at least some of the intended effect.
Permalink  |
photo
HUFFPOST SUPER USER
cocoislerealty
34 Fans
03:32 AM on 11/11/2011
Are you kidding? Banning for life would not have been unreasonable, or how many times do you let the neighbor aim a 22 at your kid?
Permalink  |
photo
BoFo
Like, you talkin' to me?
259 Fans
02:04 AM on 11/10/2011
Apple, the new Ev i l Empire.
Permalink  |
photo
HUFFPOST SUPER USER
jsgaetano
Legum servi sumus ut liberi esse possimus
3825 Fans
 
01:33 AM on 11/10/2011
Security and Apple are two words which never go together. Apple brags how SteveJob forced it's programmers to slap together code in two weeks which should have taken six months. In the real world, slapped together shoddy work leads to security trainwrecks. "Jailbreak" is the litmus test on iOS security: if Jailbreak is possible, iOS security is a joke and an illusion.
Permalink  |
photo
David LS
432 Fans
10:28 PM on 11/09/2011
Since when are big corps straight up with the public.
Arm twisting, shin kicking and sometimes head bashing is necessary to just get a reaction from some companies.
They spend hundreds of millions on marketing and far less on QC.
The lesson learned here is one of power to the consumer is not a necessary evil but a needed trust factor for any company looking to sell to these consumers.
Permalink  |
This user has chosen to opt out of the Badges program
photo
authorized-user
macho macho man
634 Fans
09:55 PM on 11/09/2011
Apple has turned into the ( big brother) company they used to advertise against.
Permalink  |
Sajwert
895 Fans
04:54 PM on 11/09/2011
Miller forgot a famous saying: No good deed goes unpunished.
Permalink  |
photo
HUFFPOST SUPER USER
cocoislerealty
34 Fans
03:33 AM on 11/11/2011
With deeds like that you don't need practical jokes.
Permalink  |
photo
HUFFPOST SUPER USER
TaiJi2
791 Fans
04:43 PM on 11/09/2011
Um, no. Apple punishes dev for breaking terms of service. There's a big difference.
Permalink  |
photo
HUFFPOST SUPER USER
No Yards
I never said most of the things I said.
112 Fans
08:10 AM on 11/10/2011
oh my, those poor hackers out there ... there's a "terms of service agreement" preventing them from putting exploits in their apps and posting them to the app store.

Hear that all you Windows users? There's a much better way to prevent virus attacks on your system ... remove your virus scanners and replace them with "terms of service agreements".

This dev did you all a great big service, assuming you are capable of opening your eyes and seeing beyond the Apple spin ... he showed you that Apple's so-called "safe" app store is protected by smoke & mirrors and a whole lot of Apple marketing spin.
Permalink  |
DefineReality
30 Fans
11:33 AM on 11/10/2011
Yes, lets all thank Apple for once again showing the world that their security measures, vetting process and everything involved in their company is a joke.

Any other company would have thanked him and then probably offered him a job for finding such a ridiculously large gaping hole in the system. But no, not Apple, they need to keep up the illusion that their products are more secure and that no bug can get by.. That is what it is really about.
Permalink  |
pbr56
409 Fans
11:43 AM on 11/09/2011
Shoot the messenger.
Permalink  |
Kamereon
68 Fans
11:38 AM on 11/09/2011
Wow, any negative article on Apple, and out come all of the devout followers. It's almost as bad as saying something bad about Scientology. Apple fans are acting more and more like a cult.
Permalink  |
photo
Sorenson
Time for a Revolt of No Confidence
143 Fans
04:03 PM on 11/09/2011
Why are you surprised? Apple pretty much rons on the cult of personality MO as it is.
Permalink  |
photo
HUFFPOST SUPER USER
maverick9808
klaatu barada necktie
86 Fans
08:43 AM on 11/10/2011
maybe apple needs more aliens in the market mix?
Permalink  |
photo
HUFFPOST SUPER USER
theveggiedude
my body is a temple, not a living graveyard
662 Fans
 
11:24 AM on 11/09/2011
This is the equivalent of an undercover cop who uses his clout to get near a politician with his handgun, then pull it out and say "see how weak your security is! I got in with a hand gun!!"

LOL
Permalink  |
photo
HUFFPOST SUPER USER
No Yards
I never said most of the things I said.
112 Fans
09:50 PM on 11/09/2011
Maybe, but the truth is that most serious hackers use social engineering as part of their hacking toolkit.

A serious hacker would also use the "trusted developer" process to get their hacked up onto the AppStore.

If Apple relies too much on their "trusted developer" process to weed out potential hacker attacks, then this too is a real security flaw.

Apple can ignore that flaw and pretend that what happened could never happen ... but that's a fools game. If Apple's answer to social engineering security flaws in its processes is to make excuses, blame it on people "breaking the rules", then Apple is in for some rough security challenges ahead ....'cause if Apple is counting on hackers not "breaking the rules" as some kind of security policy, then there's stay far away from Apple.
Permalink  |
photo
HUFFPOST SUPER USER
JohnTheMac
Now, why don't you go home and get your shine box?
223 Fans
12:37 AM on 11/10/2011
"'cause if Apple is counting on hackers not "breaking the rules" as some kind of security policy, then there's stay far away from Apple."

No, they're not 'counting on' hackers not breaking the rules.
But are you saying they shouldn't have rules? or they shouldn't reprimand people for breaking them?
ok, say there weren't rules about hidden apps.
Then someone makes one, does something covert, whatever.
Apple kicks it out for being malware.
Developer asks why, or even sues. Why not? You're picking on the guy! What did he do wrong? (you never defined wrong, did you?)
Wasn't this type of thing heard enough with apps being kicked out of the app store?
Some app had women's beasts jiggling or anti-gay themes, or whatever, and people complained that there weren't clear guidelines. Remember that?
So they have a rule about no hidden apps or malware, and they enforce it, but that doesn't mean that's the only thing they do.
Permalink  |
Page: 1 2 3 4 5  Next ›  Last »  (6 total)