Government agencies that secretly engaged in hacking operations, along with some affected software makers, bought information on zero days from a thriving gray market, according to interviews with hackers and security specialists.
In 2005, a security firm called TippingPoint began offering bounties to researchers. Executives of the Austin-based firm reasoned that they could learn much for their own use while spurring the industry to fix threats by creating a master list. They called their effort the Zero Day Initiative.
Since then, more than 1,600 researchers have been paid for reporting almost 5,000 zero days. Starting at hundreds of dollars, the bounties soar into the tens of thousands. A hacker in Shanghai named Wu Shi has earned close to $300,000 for reporting more than 100 flaws in Web browsers.
The system seemed ideal, except for one thing: The software makers often failed to heed the warnings. Some vulnerabilities remained for two years or more.
In 2007, TippingPoint, now owned by Hewlett-Packard, decided to underscore the problem by holding a high-profile event. The Pwn2Own contest would require hackers to not only find zero days but to put them into action in what is known as an “exploit” or attack.
On Jan. 24, 2011, Miller and Blazakis saw a glimmer of hope. An especially promising crash appeared ripe for exploitation.
“Figuring out what to look at,” Miller wrote to his partner, “so we’re ready to rock.”
They had found it inside the part of the browser software that enables iPhone users to view PowerPoint presentations. It involved portions of the file that stored information about the location and size of shapes, such as a circle, square or triangle that would appear on a page of a presentation.
“Really, it was just bytes in a file. It just happened that it had something to do with a shape. We didn’t really care,” Miller said later. “As long as it was doing something wrong with the data.”
This could be their zero day, but more testing was required to see if they could exploit it.
Both men dived back into the technical details of the iPhone’s PowerPoint software. It was hard labor, even for highly skilled hackers. Blazakis stopped shaving and grew a “hacker’s beard.” He put in 18-hour days as he tried to reverse engineer the PowerPoint application in order to take control of it without causing too much disruption.
Bit by bit, they began mastering the layout of the PowerPoint software. They developed an understanding of it that rivaled those who designed it.
Finally, they found a way to insert their malicious code into the application and take control of a part of the iPhone.
“I think it’s under control now,” Miller wrote during an instant-message exchange on Jan. 27. “Sweet.”
Now they had to complete the exploit by figuring out a way to insert that code into an iPhone and ensuring that they could consistently hijack the device. Unlike the movies, where hackers are portrayed as breaking into computers as if they were cracking into digital safes, successful hacks often require deception and the unwitting complicity of the victim.
On Feb. 3, Miller joked to his friend about their struggle: “Looking for bugs fame money girls glory.”
Miller and Blazakis decided to create a way to lure an iPhone user to a bogus Web page. They would set up the page and trick a user into downloading a PowerPoint file. The file would appear normal, but it would contain their malicious code. (Known as “social engineering,” it’s the same technique used in the Google and RSA attacks.)
With the deadline looming, they began having video conference calls. They linked their computers in cyberspace and worked in tandem. They were a tired but formidable pair, cutting corners on their day jobs as security researchers as they closed in on the elusive exploit.
“The last two days were chaotic,” Blazakis said. “I stayed up most of the night doing this.”
On March 8, Miller flew to the contest, which was part of a security conference in Vancouver, B.C. But they still were not sure of the exploit. They continued fiddling with it right up to the eve of the event, including during Miller’s stopover in Seattle.
Their chance came on March 10. As he sat with judges and other hackers in a narrow conference room set up in the hotel, Miller had lingering fears that the hack still might not work on demand. Under the contest rules, he had just five tries to make it work.
When Miller’s turn arrived, he went behind a long table at one end of the room, where the judges sat with their own computers. Yellow cables snaked through the area (the hackers use cables instead of wireless to prevent other hackers from swiping the zero days in play). Miller connected his old white Apple laptop and looked out at other hackers, spectators and some reporters milling about.
A judge played the role of the unwitting iPhone user. The test phone was placed in an aluminum box to block unwanted wireless signals as an additional measure against any attempted theft of a zero-day exploit by other hackers. Miller told him to browse to the phony Web page holding a PowerPoint presentation that Miller had created. Hidden in the presentation’s data was the malicious code.
The image of the phone’s browser was projected onto a large screen. The judge typed in an address for the Web page, but the presentation never appeared. Instead, the image on the screen jumped back to the home page of the phone.
Miller, sitting with his own computer, knew just what had happened. In that moment, he had gained access to all the names and other information on the phone’s address book. He had found a way to strip privacy protections from a key part of the device.
He nudged one of the judges sitting near him and pointed to his screen, which was displaying the iPhone’s address book. He and Blazakis, who was looking on via a video feed to an iPhone he was holding in Baltimore, had won.
The next day, Miller received an oversize check worth $15,000 and beamed as he put on the white winner’s jacket.
Several weeks later, Apple acknowledged the exploit indirectly when the company issued a “patch.” As a result of the hackers’ work, the flaw they found and exploited was no longer a zero day.
Miller and Blazakis knew that behind the contest’s irreverent fun was a sobering reality.
“We’re smart and have skills and such, but we’re not that extraordinary,” Miller said later. “Imagine if you were a government or a Russian mob or a criminal syndicate and you could get 100 guys like us or 1,000 guys?”