As he settled into a large black swivel chair in his office, Miller knew he had a challenge on his hands. He did not doubt whether he would find a flaw. He only wondered how bad it would be.
Cracking the iPhone
In December 2010, Miller reached out to a friend and security colleague, Dionysus Blazakis.
Blazakis, 30, started hacking in 1994 and has been breaking code ever since. But instead of breaking the law, he decided to become a software developer. He and Miller worked for the same computer security firm in Baltimore, Independent Security Evaluators. He’s also a zero-day hunter.
In instant chat messages, the two bantered about the technical details of the iPhone’s software. Like hackers everywhere, they wanted to find the easiest route to a vulnerability that would let them take control. Unlike most hackers, they had a deadline: The contest began on March 9, 2011.
“Where do you start? . . . What do you focus on?” Miller recalled asking himself. “The hard part is figuring out the soft part to go after.”
Reading through all the software instructions was out of the question. That might have worked two decades ago, when computer systems were simpler and the Web was still a novelty. A desktop computer then might have a million lines of software. Today, the software in a desktop computer could have 80 million lines or more. Finding the zero days by hand would be like searching a beach for a grain of sand of a particular shade of tan.
Miller and Blazakis decided to rely on a hacker technique known as “fuzzing” — inserting random data into applications and trying to force them to crash.
Making systems crash is easier than it might seem. Software programs are miracles of human ingenuity, veritable cathedrals made of letters and digits. But unlike Notre Dame in Paris or the Duomo in Milan — which took lifetimes to build and remain sturdy to this day — digital architecture is constantly evolving and can be made to crumble with the right push at the wrong spot.
Miller attributes that fragility to companies that place sales and novel applications over computer security.
“Companies want to make money,” he said. “They don’t want to sit around and make their software perfect.”
Many of those vulnerabilities are related to errors in code designed to parse, or sort through, data files sent over the Internet. A typical computer has hundreds of parser codes in its operating system. One good example is an image parser. It identifies the information that makes up a digital photo, processes it and then sends the file to the part of the machine designed to display the image.