Forgot your password?
typodupeerror
Security The Almighty Buck Wireless Networking IT Apple

Apple Hacker Charlie Miller To Demo Dangers of Near-Field Communications 149

Posted by timothy
from the these-icons-sure-are-clastic dept.
An anonymous reader writes "Apple's hacker nemesis Charlie Miller, who the company banned from its app store developer program, apparently hasn't been waiting around for his suspension to be lifted. His latest pet project is hacking near-field communications (NFC), and at Black Hat USA in Vegas this month, he will demonstrate the dangers of using your smartphone to pay your cab fare. (But when his Apple 'sentence' is up, look out)."
This discussion has been archived. No new comments can be posted.

Apple Hacker Charlie Miller To Demo Dangers of Near-Field Communications

Comments Filter:
  • by crazyjj (2598719) * on Thursday July 12, 2012 @10:53AM (#40628037)

    iOS is a walled garden. Apple is under no obligation to let anyone develop for it. If you're going to embarrass and criticize Apple, they are under no obligation to let you do it on their iPhones and iPads (or Macs either, for that matter).

    • iOS is a walled garden. Apple is under no obligation to let anyone develop for it. If you're going to embarrass and criticize Apple, they are under no obligation to let you do it on their iPhones and iPads (or Macs either, for that matter).

      On the flip side, he make both Apple and the public aware of the exploits he finds. I'd rather Apple get a black eye over this than have the exploits remain out there where someone nefarious can find them and sell them to an eastern European cartel.

      • by alen (225700) on Thursday July 12, 2012 @11:14AM (#40628235)

        there is no NFC on the iphone now, nothing has been announced for iOS 6 and it's only a rumor for the next iphone

        how is he going to embarrass apple since they only have a few patents for NFC. and that's only because apple patents everything, even tech they don't end up using.

        if anything he's going to embarrass google since they are pushing NFC and google wallet

        • Well, convincing everyone NFC is a horrible idea before it launches would be one of the better economic efficiency services of white hatting.

          The reality is that there's a very important distinction between contact and contact-less communication, since if you have a suitable antenna you can pick out almost any signal, no matter how "short range". I mean America was snooping Soviet microwave transmission towers with satellites in tangential orbits during the cold war (hell, it's probably still being done).

          • by djdanlib (732853)

            The world doesn't need to wait for Apple. The problem is more immediate: NFC is already out there.

            The Samsung Galaxy S III had 9 million preorders and almost all of those have shipped by now. So there are 9 million NFC-enabled devices out there.

            Granted, it's off by default and easy to turn off.

      • Or you could let Apple know, keep it quite for a reasonable amount of time before you broadcast it.
        You know give them time to fix the problem, without letting everyone know to exasperate the problem, so Apple is forced to do a quick fix, where they could have done a better fix to the problem.

        What this guy is doing is Showboating to show how cool he is, without any concern about the people general security.

    • by dutchwhizzman (817898) on Thursday July 12, 2012 @11:07AM (#40628167)
      As if he couldn't get someone else to proxy for him already. If apple keeps him away and he finds something worth while, he'll find someone else that is willing to front for him and just submit another app to prove his point. Keeping people out is useless, they should be thankful for someone to hilight their security flaws, even if it's bad publicity for them at that moment. Not exposing it and letting someone commit a serious crime on a large scale will hurt Apple more than having someone expose it.
      • by Anonymous Coward on Thursday July 12, 2012 @11:13AM (#40628229)

        Oh Apple is fully within its rights, aside from the breach of fiduciary responsibility. Smart companies pay people like this for their services. Smarter ones give them a free tshirt and work for free. Stupid ones attempt to censor and really stupid ones prosecute.

      • by westlake (615356)

        As if he couldn't get someone else to proxy for him already. If apple keeps him away and he finds something worth while, he'll find someone else that is willing to front for him and just submit another app to prove his point

        That doesn't means the proxy gets to keep the new app in the app store.

        Talk of using a front is talk of a forming a conspiracy against Apple. It becomes a whole new ball game where the stakes are much higher.

        The very least that can be expected is that Apple will be screening its developers and its apps all that more closely. Where Apple leads, Amazon, Google, and Microsoft and all the rest are sure to follow.

        The walled garden is walled higher.

    • Since when does apple have control over an individual's freedom of speech?

      If people haven't figured out that NFC is a great tool for a ton of things but also anything but secure by now, I would say that they are completely oblivious. They're simply thinking that a communication tool (NFC) can also be relied on for security. I don't see anything wrong with him exposing exploits on the presumption that he already warned apple about them (which he commonly does). I don't think that has anything to do with "emb

    • by ogdenk (712300)

      iOS is a walled garden. Apple is under no obligation to let anyone develop for it. If you're going to embarrass and criticize Apple, they are under no obligation to let you do it on their iPhones and iPads (or Macs either, for that matter).

      1.) It's *MY* iPhone. Not Apple's. I bought it. If they don't like that they can stop selling hardware to end users.

      2.) I'll write whatever code I feel like, distribute it and talk smack all I want and they can't do dick about it. Just because they invented the walled garden doesn't mean they get to rewrite copyright law and assert control of something I bought. Just like they can't stop me from building a hackintosh. Locking people out for helping you secure your devices is asinine and childish.

  • Wireless (Score:1, Interesting)

    by tuck3r (987067)

    Whenever something is wireless there will always be a way to spoof or block it. All you have to do is provide it the right information and it will divulge all of it's information.

    To me this is just common sense. If you want something to be less prone to this type of hacking? Don't use a wireless product in general...

  • Dear Apple: (Score:4, Insightful)

    by circletimessquare (444983) <circletimessquare&gmail,com> on Thursday July 12, 2012 @11:08AM (#40628169) Homepage Journal

    The guy is providing you with research and development, for free.

    Hire him, you blind idiots.

    You'd prefer this hack had been quietly discovered in the wild by somebody who isn't so upfront with the techniques? And then deal with the cost and PR fiasco of violated iPhone users?

    Wake up, Apple HQ morons.

    Your wallet product is being hardened against exploit, for FREE, and you punish the guy for it.

    • by Anonymous Coward

      "The guy is providing you with research and development, for free."

      Umm, if the guy is already doing it for free, why hire him? :)

      • "The guy is providing you with research and development, for free."

        Umm, if the guy is already doing it for free, why hire him? :)

        Because if they don't, someone else will, and that someone else doesn't care nearly as much about Apple's image as Apple does.

    • Re:Dear Apple: (Score:5, Insightful)

      by sideslash (1865434) on Thursday July 12, 2012 @11:23AM (#40628323)
      I have to admit a little bit of schadenfreude at watching Apple gradually lose their reputation for having secure devices. If they didn't have such an arrogant and offensive attitude about the whole thing, it would be easier to sympathize.
      • Re: (Score:1, Informative)

        by Anonymous Coward

        You realize it's ultimately Unix losing it, right?

        • Stupid argument, can be used by Android fanboys as well, or for any closed *nix-like system...

        • Yes because Unix is inherently secure with magic pixie dust. There is nothing special about Unix that makes it secure. Just because the implementations tend to be more secure (which in some cases is debatable) doesn't mean all Unix systems are secure. Most attacks aren't even against the kernel anyway, they are against the applications that run on top of the kernel and there is little that "Unix" does about that. Linux, Windows, and now Mac (though most people agree their implementation sucks) use thing
      • by Eyezen (548114)
        "Arrogant and offensive" You mean the standard apple response of: "secure personal electronic commerce? Why would anyone want to do that?"
      • by Truedat (2545458)
        Did they honestly ever have a good reputation though in the first place, at least among the tech minded? Anyway it seems to me that they've softened their stance somewhat with a few steps in the right direction, such as not making wild claims about being immune to pc viruses on their website. And requiring third party apps to be signed on mountain lion. And not installing java and flash runtimes by default. And disabling them if they haven't been run for a while. Oh and not creating a significant market for
    • by Kenja (541830)
      Why hire someone willing to work for free?
    • Re:Dear Apple: (Score:5, Insightful)

      by jo_ham (604554) <joham999&gmail,com> on Thursday July 12, 2012 @12:04PM (#40628787)

      What hack is that exactly?

      There is no NFC hardware in the iPhone at present.

      As to being "idiots", I'm not sure how you arrive at that conclusion. Charlie has a flair for the dramatic and a clear skill at finding holes, sure, but he also antagonises those who (presumably) he is trying to impress (assuming his aim is to be financially rewarded for his work, which I don't think it is).

      There are better ways than very publicly violating the terms of your developer agreement and then expecting to get hired. If Apple *did* hire him after that, what does that say for the credibility of their developer agreements? Who would be the "blind idiot" then?

      • what you want is a dramatic hacker without an ego. it kind of comes with the territory

        so why don't you expect discretion and maturity from your fellow managers, and stop looking a gift horse in the mouth

    • by Truedat (2545458)
      You've presented a false choice, a third option would be to notify apple rather than try to sneak in an app past the terms and conditions. Perhaps it would be ok if I broke into your house in the name of security r&d?
  • by sandytaru (1158959) on Thursday July 12, 2012 @11:09AM (#40628191) Journal
    He's one of the guys that proved Apple isn't so unhackable and "immune to viruses" after all. He does have a point that NFC technology is too new to know whether it's safe, and honestly, I'm glad someone like him is on the case to determine just how exploitable it is. I've already had my bank account cleaned out once because of a hack into a store's debit card system.
    • by Mista2 (1093071)

      I'm still confused as to why we need this on phones in the first place.
      My current credit card has a mag stripe, and a contact chip, and gives me access to my account through eftpos. How come this can't just be expanded to include an RFID? I've seen a solar powered credit card sized calculator, so surely they could build a card with the simple smarts to say ill only pay when you are touching the card here, or when swiped left and right at a certain velocity near a reader. It could even be powered by the read

  • The Dangers of NFC (Score:5, Insightful)

    by 6031769 (829845) on Thursday July 12, 2012 @11:10AM (#40628195) Homepage Journal

    Essentially with NFC you have this card/phone in your pocket which all day long is saying to every other device it meets, "Hey, are you an EPoS terminal? I'd really like to pay for something, now!". It is not clear to me why the dangers of this need to be demonstrated, least of all to delegates at BlackHat.

    • by pnutjam (523990)
      And phone companies have a long history of being nothing but trustworthy, it's why they consistently the most loved companies in consumer surveys.
  • by Anonymous Coward on Thursday July 12, 2012 @11:12AM (#40628219)

    1) Apple phones don't have NFC chips in them so Charlie Miller cannot be "exposing them"

    2) Charlie Millier will be exposing security problems of NFC with Android phones.

    3) Charlie Miller is also Google's nemesis and has exposed how silly Android security testing is:

    http://www.darkreading.com/vulnerability-management/167901026/security/client-security/240003490/apple-ban-gives-miller-time-to-hack-other-things.html [darkreading.com]

    4) timothy seems to have an axe to grind against Apple so he's submitting these idiotic articles lately. It's he, however, that looks stupid as a result.

    • Re: (Score:2, Informative)

      by sideslash (1865434)

      It's he, however, that looks stupid as a result.

      Please don't get grammar partially right. Either say "it's him, however, that..." or "it's he, however, who...". Thank you; carry on.

      • by sribe (304414)

        Please don't get grammar partially right. Either say "it's him, however, that..." or "it's he, however, who...". Thank you; carry on.

        Hey, at least you got 1 out 2 ;-)

      • by mj1856 (589031)

        Uh, no. If you're going to be a grammar Nazi, at least get it right.

        He/Him [englishforums.com] - the original poster is correct.

        That/Who [suite101.com] - either are acceptable in this context, and it has no relationship to the he/him decision.

    • Nowhere did the summary say Charlie Miller is hacking NFC in an Apple phone. In fact, nowhere in the summary does the string "expos" appear, so when you quote "exposing them", who are you quoting?

      The summary said "Apple's hacker nemesis Charlie Miller". It's merely identifying Charlie Miller as a somewhat infamous Apple hacker. Any allusion to him hacking Apple devices in the summary is entirely the fault of people who are jumping to conclusions.

      This would be like saying "Sony's hacker nemesis George Hot

      • by jo_ham (604554) <joham999&gmail,com> on Thursday July 12, 2012 @12:12PM (#40628865)

        If you think that summary *isn't* a blatant swing at Apple, written to make Charlie's completely non-Apple-related NFC hacking look like something to do with Apple and the app store, then I have a bridge to sell you.

        If we're jumping to conclusions about what this means for Apple when two of the three sentences specifically mention Apple and his link to them and the "ban" from the App Store for violating his dev agreement. If Apple, the App Store and iOS have nothing to with this then why is 66% of the summary dedicated to it?

        The salient point appears to be that he will show something related to NFC hacking at a conference using a "smartphone". Interesting how the particular model of smartphone or the OS it runs is not mentioned, yet the other 66% of the summary heavily mentions Apple. Mmm. Seems legit.

        Either way, we know it's not an iPhone or iOS since the iPhone doesn't have any NFC hardware in it, unless he managed to get his hands on the rumoured iPhone 5 prototype that might have it included but no one knows yet.

        • If you think that summary *isn't* a blatant swing at Apple

          So far as I know, none of my statements alluded to whether or not I thought this was a swing at Apple. That's just another example of a reader jumping to conclusions, which isn't surprising if you already jumped to conclusions once. I wouldn't have worded the summary the way it was worded...perhaps the first sentence would have been the same, to help the audience identify who Charlie Miller is (because I certainly didn't recognize his name, being s

    • by MagicM (85041)

      Apple phones don't have NFC chips in them

      Apparently there is some evidence [slashdot.org] that the next generation iPhones will have NFC chips in them.

  • Is anybody surprised by this: "he will demonstrate the dangers of using your smartphone to pay your cab fare"?
    I have always been a little leery of these things. Between credit cards which don't require contact or a signature, and several other things ... they seem like something built for convenience, but without any real security in them.

    I'm betting this isn't even specific to Apple so much as the entire class of near-field tech.

  • The article seems to be light in the details of his exploit: particularly if it is specific to iOS or to the actual NFC spec. There are lots of other companies that have vested interest in NFC so it would be interesting to see his presentation when it comes around.

    • I doubt it's specific to iOS, as there are exactly zero iOS devices with NFC, and there is zero exposed support for NFC in either the production iOS 5.x, or the beta of 6.x.

  • by RobertLTux (260313) <robert&laurencemartin,org> on Thursday July 12, 2012 @11:32AM (#40628409)

    Does anybody have a good set of instructions on how to make a Faraday Cage wallet?? (note not how to buy said wallet or something on a split between 64 pages so we can get ad income for 64 page views thing like instructables)

    • You seem to be awfully picky for somebody who is too lazy (attention seeking?) to google it for themselves.
    • by Greyfox (87712)
      Maybe make a duck tape wallet but add some layers of that copper fabric Adam used in the "Gun to a knife fight" episode of Mythbusters? You'd just need to make sure the copper completely surrounds your cash, cards, passport or phone. I think a good way to test it would be to turn on wlan on the phone, connect to your local router and then slap that sucker in the wallet and see if the router can still find its mac address.

      RPI Polymath [rpi-polymath.com] has some instructions on making a duck tape wallet. For the copper fabri

    • Does anybody have a good set of instructions on how to make a Faraday Cage wallet?? (note not how to buy said wallet or something on a split between 64 pages so we can get ad income for 64 page views thing like instructables)

      Just place it under your tin foil hat. You see, you've already got one....

  • NFC and Payments (Score:5, Interesting)

    by TheGreatDonkey (779189) on Thursday July 12, 2012 @11:49AM (#40628597)
    So there I am standing at the gas station yesterday, and I catch a quick glimpse of one of those ad's on the TV screen offering to give you 5 cents off per gallon if you pay at the pump with NFC through your phone. I'm a bit amused by this as right next to it is a sign saying not to use your cell phone at the pump with a funny symbol of fire next to it. Curious as to the contrary suggestions, I look at the fine print of the NFC ad where it basically says "for your safety, you can only use this as a single pump" or basically trying to manage the risk by only using it briefly. This is somewhat funny as they can't seem to make up their mind as to whether is it safe, or isn't it?
    • Load 120-150lbs of a flammable liquid designed to explode at a low-to-moderate concentration in air into a container
      Strap said container to a box loaded with 1-7 humans
      Energize the entire chassis with a stored energy source capable of providing several hundred amperes of potential current flow
      Accelerate several hundred of such boxes to 100+fps velocity separated by 3-6 feet
      Take a second group and send them towards the first so the to groups pass no more than 3-6 feet apart.
      Make no provision for automatic/ac

    • by Inda (580031)
      Then English version of Mythbusters (Brainiac?) tried to explode a cavavan using mobile phones and petrol. They filled the inside with vapour, added half a dozen mobile phones, and called them all at once.

      Disapointing is the word. Nothing happened.

      I've also seen a cigarette dropped into a glass full of petrol.

      Disapointing again. Nothing happened.
      • It's possible they're just worried about mobile phones messing with the electronics of the pump, more than an explosive risk.

    • It's possible they're just worried about mobile phones messing with the electronics of the pump, more than an explosive risk.

      If you fill your tank (a mechanical process) but somehow the pump crashes and doesn't clock up the proper amount, they lose money. It may be a rare but possible effect. Of course they wouldn't want to tell people *that*, because then everyone would be trying it.

  • I just want to know how are they going to fit all the attendees into the cab so they can see what is going on?
  • He posted an app with an iOS exploit to the App Store and made it known publically afterwards. He claims he informed Apple beforehand but went ahead and posted his app anyway. Whatever point he was trying to make he lost it when it when he submitted the app to retail and then acted shocked when his developer access was pulled.

This screen intentionally left blank.

Working...