Hacker Halted 2013: Charlie Miller says Mobile Attacks are Just Hype

Charlie Miller, Security Researcher at Twitter
Charlie Miller, Security Researcher at Twitter

“The only way to get code on any device is a ‘download and run’ by the user, or a vulnerability in software leveraged during normal behaviour.” It’s not the job of the mobile operating system, said Miller, to stop you running what you want to run.

“[A hacker] needs both vulnerability and an exploit. To minimise chance of attack, we need to reduce vulnerabilities and make them harder to exploit.” The industry’s focus, says Miller, has been on the latter.

What History Taught Us

Designers of smartphones have learned the lessons of PC malware, said Miller. “Some exploit mitigations were built in from day one. Apps run in a sandbox, they have to ask for permissions, which is not the case with desktops.”

If you reboot your iPhone, advised Miller, any exploits running on your browser will be gone.

Cybercriminals, according to Miller, are looking for an easy target and a high profit. “To submit an app to the Apple store, you have to register – and pay - for an account, prove your identity, and go through the review process.” It doesn’t make (financial) sense, he said, for an attacker to write malware for Apple smartphones. “There really isn’t any iOS malware”, he said. “Apple is like an anti-virus.”

Android, however, is a different story according to Miller. “The community polices itself – it’s not as secure. Android doesn’t have code signing for protection”, he explained.

When asked about the Windows phone, Miller responded: “Not many people are using it so no-one has bothered to research it. I’m sure their security will be just as good as iPhones, though”.

I'm Not Worrying, Nor Should You

The real issues around mobile, Miller told his Hacker Halted audience, are “users; lost phones and jailbreaks”, whilst declaring mobile malvertising “not worth the effort [for hackers]” and mobile exploits in the wild as something “you’ll only see from researchers, not the bad guys.”

“There have been no big breaches we know of which started with a mobile attack, and I don’t think there will be for some time yet. Attackers do, and go after, whatever is easy, and right now, that’s not mobile.” If we do see mobile attacks in the future, Miller predicted that “it will most likely be on Android”.

Miller’s advice to information security professionals concerned about mobile threats is fairly simple. “I wouldn’t spend many security dollars on it. Don’t ignore it, but don’t spend a big portion of your budget on it.” He suggests encryption, VPN and “ensuring users use the authentication that is built in to the phone.”

“You can’t affect any of the Apple processes”, and there is no need to invest in anti-virus for phones, Miller advised. “You just have to rely on the OS to protect you.”


Charlie Miller Bio:

Charles Miller is a computer security researcher with Twitter.
Prior to his current employment, he spent five years working for the National Security Agency. Miller demonstrated his hacks publicly on products manufactured by Apple. In 2008 he won a $10,000 cash prize at the hacker conference Pwn2Own in Vancouver Canada for being the first to find a critical bug in the ultrathin MacBook Air. The next year, he won $5,000 for cracking Safari. In 2009 he also demonstrated an SMS processing vulnerability that allowed for complete compromise of the Apple iPhone and denial-of-service attacks on other phones. In 2011 he found a security hole in an iPhone's or iPad's security, whereby an application can contact a remote computer to download new unapproved software that can execute any command that could steal personal data or otherwise using iOS applications functions for malicious purposes. As a proof of concept, Miller created an application called Instastock that got approved by Apple's App Store. He then informed Apple about the security hole, who then promptly expelled him from the App Store. 





What’s hot on Infosecurity Magazine?