Understanding cyberspace is key to defending against digital attacks

Hackers will insert corrupted data in the photo’s code to disrupt the parser software, cause it to crash and open the way for it to be hijacked.

“If an application has never been fuzzed, any form of fuzzing is likely to find bugs,” Microsoft researchers said in a recent paper on the use of fuzzing to improve security.

No human being fuzzing by hand could cause a sufficient number of crashes to routinely allow a hacker to identify a zero day. So Miller and others write programs to do it. Miller’s fuzzing program enables him to connect to a variety of computers and keep track of thousands of crashes, including where in the software the crash took place.

“99.999 percent of the time, nothing bad happens,” Miller explained. “But I do it a billion times, and it happens enough times it’s interesting.”

The heart of his program is a function that randomly substitutes data in a targeted software program. He called the 200 lines of code that make up this function his “special sauce.”

To begin his iPhone hack, he took four Apple computers, one a laptop borrowed from his wife, and connected them to another computer holding the iPhone’s software, the entire amalgamation spread over the benchlike desks of his home office. The homey set-up, complete with an overstuffed bookcase crowned by a bowling pin, looked like the lair of a graduate student pursuing a science project.

Miller ran the mini-network 24 hours a day for weeks. One machine served as the quarterback, launching and coordinating the fuzz attacks, tracking the crashes and collecting the details. Before 7 most mornings, he woke up, went into the office, signed into the quarterback computer and checked on the progress, like a kid hoping for snow.

He was on the lookout in particular for failures that involved computer memory management — a serious flaw that could offer the way in.

“The memory manager keeps track of where things are, where new things should go, et cetera,” Miller recalled. “If a program crashes in the memory manager, it means the computer is confused about what things are located where. This is pretty serious, because it means it is in a state where it might be persuaded to think my data is something it thinks is entirely something else.”

For now, most of the crashes were trivial. February was approaching, and time was short. Miller and Blazakis still did not have their zero day.

The hunt for flaws

Zero days have become the stuff of digital legend. In the 1996 science-
fiction movie “Independence Day,” characters played by Will Smith and Jeff Goldblum launched a “virus” that took advantage of a zero-day vulnerability, crashed the computer system of an alien mothership and saved the world.

But they have always been more than just science fiction. For decades, hackers and security specialists have known about the existence of zero days. And as software proliferated, along with computers and networks, so have zero days. The researchers who found them often had no incentive to share their finds with the affected companies. Sometimes the researchers simply released the vulnerabilities publicly on the Internet to warn the public at large.

Government agencies that secretly engaged in hacking operations, along with some affected software makers, bought information on zero days from a thriving gray market, according to interviews with hackers and security specialists.

In 2005, a security firm called TippingPoint began offering bounties to researchers. Executives of the Austin-based firm reasoned that they could learn much for their own use while spurring the industry to fix threats by creating a master list. They called their effort the Zero Day Initiative.

Since then, more than 1,600 researchers have been paid for reporting almost 5,000 zero days. Starting at hundreds of dollars, the bounties soar into the tens of thousands. A hacker in Shanghai named Wu Shi has earned close to $300,000 for reporting more than 100 flaws in Web browsers.

The system seemed ideal, except for one thing: The software makers often failed to heed the warnings. Some vulnerabilities remained for two years or more.

In 2007, TippingPoint, now owned by Hewlett-Packard, decided to underscore the problem by holding a high-profile event. The Pwn2Own contest would require hackers to not only find zero days but to put them into action in what is known as an “exploit” or attack.

Getting closer

On Jan. 24, 2011, Miller and Blazakis saw a glimmer of hope. An especially promising crash appeared ripe for exploitation.

“Figuring out what to look at,” Miller wrote to his partner, “so we’re ready to rock.”

They had found it inside the part of the browser software that enables iPhone users to view PowerPoint presentations. It involved portions of the file that stored information about the location and size of shapes, such as a circle, square or triangle that would appear on a page of a presentation.

“Really, it was just bytes in a file. It just happened that it had something to do with a shape. We didn’t really care,” Miller said later. “As long as it was doing something wrong with the data.”

This could be their zero day, but more testing was required to see if they could exploit it.

Both men dived back into the technical details of the iPhone’s PowerPoint software. It was hard labor, even for highly skilled hackers. Blazakis stopped shaving and grew a “hacker’s beard.” He put in 18-hour days as he tried to reverse engineer the PowerPoint application in order to take control of it without causing too much disruption.

Bit by bit, they began mastering the layout of the PowerPoint software. They developed an understanding of it that rivaled those who designed it.

Finally, they found a way to insert their malicious code into the application and take control of a part of the iPhone.

“I think it’s under control now,” Miller wrote during an instant-message exchange on Jan. 27. “Sweet.”

Now they had to complete the exploit by figuring out a way to insert that code into an iPhone and ensuring that they could consistently hijack the device. Unlike the movies, where hackers are portrayed as breaking into computers as if they were cracking into digital safes, successful hacks often require deception and the unwitting complicity of the victim.

On Feb. 3, Miller joked to his friend about their struggle: “Looking for bugs fame money girls glory.”

Miller and Blazakis decided to create a way to lure an iPhone user to a bogus Web page. They would set up the page and trick a user into downloading a PowerPoint file. The file would appear normal, but it would contain their malicious code. (Known as “social engineering,” it’s the same technique used in the Google and RSA attacks.)

With the deadline looming, they began having video conference calls. They linked their computers in cyberspace and worked in tandem. They were a tired but formidable pair, cutting corners on their day jobs as security researchers as they closed in on the elusive exploit.

“The last two days were chaotic,” Blazakis said. “I stayed up most of the night doing this.”

On March 8, Miller flew to the contest, which was part of a security conference in Vancouver, B.C. But they still were not sure of the exploit. They continued fiddling with it right up to the eve of the event, including during Miller’s stopover in Seattle.

Their chance came on March 10. As he sat with judges and other hackers in a narrow conference room set up in the hotel, Miller had lingering fears that the hack still might not work on demand. Under the contest rules, he had just five tries to make it work.

When Miller’s turn arrived, he went behind a long table at one end of the room, where the judges sat with their own computers. Yellow cables snaked through the area (the hackers use cables instead of wireless to prevent other hackers from swiping the zero days in play). Miller connected his old white Apple laptop and looked out at other hackers, spectators and some reporters milling about.

A judge played the role of the unwitting iPhone user. The test phone was placed in an aluminum box to block unwanted wireless signals as an additional measure against any attempted theft of a zero-day exploit by other hackers. Miller told him to browse to the phony Web page holding a PowerPoint presentation that Miller had created. Hidden in the presentation’s data was the malicious code.

The image of the phone’s browser was projected onto a large screen. The judge typed in an address for the Web page, but the presentation never appeared. Instead, the image on the screen jumped back to the home page of the phone.

Miller, sitting with his own computer, knew just what had happened. In that moment, he had gained access to all the names and other information on the phone’s address book. He had found a way to strip privacy protections from a key part of the device.

He nudged one of the judges sitting near him and pointed to his screen, which was displaying the iPhone’s address book. He and Blazakis, who was looking on via a video feed to an iPhone he was holding in Baltimore, had won.

The next day, Miller received an oversize check worth $15,000 and beamed as he put on the white winner’s jacket.

Several weeks later, Apple acknowledged the exploit indirectly when the company issued a “patch.” As a result of the hackers’ work, the flaw they found and exploited was no longer a zero day.

Miller and Blazakis knew that behind the contest’s irreverent fun was a sobering reality.

“We’re smart and have skills and such, but we’re not that extraordinary,” Miller said later. “Imagine if you were a government or a Russian mob or a criminal syndicate and you could get 100 guys like us or 1,000 guys?”