Photo By Kevin A. Roberts
Donning a green military jacket and cap, Charlie Miller explains to a group of hackers and cybersecurity experts how he’d build a cyber army in North Korea. He boasts that his army could infiltrate military networks and power grids, interrupt cellphone service, and take over millions of computers around the world “for the bargain-basement price of $49 million.” In this presentation, delivered at the 2010 DEF CON conference in Las Vegas, he’s included doctored photos of himself standing beside North Korea’s then-leader, Kim Jong Il, with the premise that he’s been kidnapped.
When he gave the same presentation at a conference in Estonia about cyberconflict, former U.S. cyber czar Melissa Hathaway was in the audience. “Apparently, she didn’t like it,” he says.
Fortunately, Miller’s one of the good guys: He’s what’s called a “white hat” hacker, an expert who reports software vulnerabilities to the manufacturers, so “black hat” hackers can’t take advantage of them.
His presentation is tongue-in-cheek, but it’s also surprisingly plausible. Miller outlines in great detail how to wage warfare using remote-access tools and botnets, using tech jargon that might sound like the patter you’d hear in a sci-fi movie. But this isn’t a movie. It’s a conference for hackers. And they’re listening.
Since he became the first person to remotely hack the iPhone, in 2007, the 39-year-old Wildwood resident has steadily earned a reputation as one of the world’s best hackers. Miller has since bested the defenses of the MacBook Air, the iPhone 4, and Android phones. The New York Times, The Washington Post, and Forbes have written about him.
“Very few researchers that I know produce epic hacks as frequently as Charlie does,” says Andy Greenberg, a writer for Forbes and author of This Machine Kills Secrets. “If you judged him just by his reputation in the hacker world, you would think he was 7 feet tall and could shoot lightning bolts out of his fingers. He’s constantly pulling off things that seem impossible.”
As you watch Miller’s presentation, you can begin to conceive how, with $49 million, two years, and enough recruits, he could take over the world.
Growing up in Affton, Charlie spent a lot of time alone. His mother, Geraldine, died of cancer when he was 7. Miller’s sister, Gayle—13 years his senior—left home a year later. His father, Don, a St. Louis policeman, worked multiple jobs and was rarely home. “He had a lot of freedom when he was a kid,” recalls childhood friend Gus Wagner. “He was very responsible; he did a lot of self-raising.”
As a kid, Charlie played the family’s Commodore 64, an 8-bit gaming system. Later, he switched to an Atari 400. But by the time Miller entered Lindbergh High School, there wasn’t a computer in his home. “When I wanted to write a paper, I’d have to go to my friend’s house,” he says. His passion was racing bikes, not computers or class work: “I dropped out of [honors social studies] because the teacher said the next year we were going to have to read a book.”
As a freshman at Truman State University, Miller signed up for computer science, but he says the university’s computers were so slow at the time that he dropped the course. He tried political science and philosophy instead, but the topics’ precarious nature frustrated him. It was math that appealed to him most. “I like that in math, you can’t argue with me,” he says. “This is the answer—I can prove it to you.”
The same year, he met his other love: Andrea Moses. He proposed during junior year, and they married after graduation. That summer, the couple moved to Indiana, so Miller could continue his studies at the University of Notre Dame. He wrote his doctoral dissertation on equations that describe fiber optics, but decided against becoming a math professor. Instead, he took a job with the National Security Agency.
Miller’s still unable to discuss the details of his time at the NSA, apart from vague references to foreign targets and computer-network reconnaissance. “My wife would come to these parties [with co-workers], and we’d have no idea what to talk about, because we couldn’t talk about work,” he says.
Though he was hired to be a cryptographer, Miller quickly transitioned into cybersecurity instead. He relished tinkering with software, figuring out the design behind a product and bending it to another purpose. Miller compares it to doing a suduko puzzle no one’s ever solved: “It’s hard, but when you’re done, you have the satisfaction of being the only one who’s ever done it.”
It wasn’t until 2005, when he returned to St. Louis and found a job at a broker-dealer financial firm, that he began the private research that
would lead to some of his most epic hacks. While testing a version of the Linux operating system, he discovered what’s known as a “zero-day vulnerability,” a previously undiscovered glitch in a program that lets hackers take over the device.
He sold the information to the U.S. government for $50,000. “I didn’t tell anyone; that was part of the deal,” he says. “There was this two-year period where I knew something, and everyone’s computer was vulnerable to it, and it wasn’t getting fixed.”
He now shares his research with the broader community—to an extent. “I try to make the Internet a better place by reporting vulnerabilities,” Miller writes via email. “However, at the same time, I don’t feel an obligation to do it.”
Dino Dai Zovi, an information-security expert who co-authored The Mac Hacker’s Handbook with Miller, recalls including zero-day vulnerabilities not reported to Apple in the book. “He said, ‘Well, if they want to know about the vulnerability, they can just buy the book like everyone else.’”
A poster from the 1995 Angelina Jolie film Hackers hangs on the wall of Miller’s Wildwood home. Though he usually works in the dark, the lights are on as he erases the hard drives on two computers that belong to Accuvant, a Colorado-based cybersecurity consulting firm that he previously worked with remotely for about a year.
As he works, his cellphone occasionally buzzes, possibly with calls from reporters: Just a day ago, he announced plans to work remotely for Twitter’s security team. Miller ignores the calls, explaining how he hacked the iPhone—twice. “Everyone believed Macs were totally secure and safe,” he says, “and I knew they weren’t.”
At the time of his first iPhone breakthrough, in 2007, Miller was working for Independent Security Evaluators, a Baltimore-based cybersecurity consulting firm. He built a Web page that allowed him to remotely access and control an iPhone when a user navigated to the page. He presented his findings at the Black Hat conference, a gathering of cybersecurity researchers, two days after Apple issued a patch (i.e., a software update) to fix the vulnerability.
Miller often finds flaws via an automated technique called “dumb fuzzing,” in which he makes a simple, random change to a program’s data, then tries running it. It takes millions of tries to cause even a few crashes, and of those crashes, just one might be the result of a zero-day vulnerability.
“This is computer hacking,” Miller says. “It’s me staring at this screen for like a week and clicking around and clicking around, and finally saying, ‘Wait a second, I think that’s not right.’”
In 2008, Miller tackled Pwn2Own, a competition run by HP’s TippingPoint Zero-Day Initiative. It challenges cybersecurity experts to hack certain devices or software to win that device and prize money. After winning in 2008 by hacking the MacBook Air, Miller won three more times—twice more than any other competitor.
Miller’s also part of the reason the competition gives out prizes. “After the second year, I said I’m not doing it again unless I get a giant novelty check,” he says. “So the third year, I got a check.”
“I went to a conference with him,” says his sister, Gayle Ezell. “When he’s around people in the same line of work that he is, they all want to get pictures with him and shake hands with him.”
It was last fall, though, that Miller gained the most notoriety to date, exploiting a security vulnerability in Apple’s iOS operating system that made it possible for seemingly innocent apps to download new code or malware. Instead of contacting Apple directly about the vulnerability, he created an app, InstaStock, that appeared to be a stock ticker, but was actually connected to Miller’s server and would download any code he sent it. Then he submitted it to Apple’s App Store and waited for the company to notice the vulnerability, knowing that the company prides itself on its stringent security review.
When the company approved the InstaStock app last September, Miller waited for it to be removed. By November, Apple still hadn’t noticed the vulnerability, so he posted a YouTube video about it and told Greenberg, who wrote about it for Forbes. Apple promptly kicked him out of the iOS Developer Program for a year.
“It seemed to me that I was helping Apple,” Miller says. “And then when they did that, it seemed really shortsighted. Now I can’t really help them as well as I normally do. I couldn’t even test to see if they patched the bug.”
Still, Miller’s received interest from other sizable organizations—including the U.S. Department of Defense. The Defense Advanced Research Projects Agency recently funded exploration of near-field communication technology, which lets you pay for things with a wave of your phone. At this summer’s Black Hat conference, Miller used the technology to break into a Samsung Nexus S, a Galaxy Nexus, and a Nokia N9.
His latest project for DARPA involves a new industry: cars. Working with fellow cybersecurity expert Chris Valasek, Miller plans to hack into the computers inside a Ford Focus and a Toyota Prius to see what a hacker could do and how to prevent it. “If tomorrow The New York Times said, ‘Hackers break into cars and crash them,’ what could you do? Nothing,” says Miller. “Maybe we can design ways that people can write antivirus for cars.”
To demonstrate a software exploit, he types an address into Safari. Instead of bringing up a website, the address opens the computer’s Calculator program. It’s called “popping calc” in hacker circles, and it’s a common way to “plant your flag,” to show you have control of a computer. It seems about as menacing as a magic trick, but having that control means someone could steal all of the information on your computer.
It’s subtle but powerful, like Miller. “He won’t ever tell you if he does anything cool,” says Wagner. “You have to read about it in the paper.”