Apple Hacker Charlie Miller To Demo Dangers of Near-Field Communications

An anonymous reader writes "Apple's hacker nemesis Charlie Miller, who the company banned from its app store developer program, apparently hasn't been waiting around for his suspension to be lifted. His latest pet project is hacking near-field communications (NFC), and at Black Hat USA in Vegas this month, he will demonstrate the dangers of using your smartphone to pay your cab fare. (But when his Apple 'sentence' is up, look out)."

What makes you think his "sentence" is ever up?

[crazyjj]

iOS is a walled garden. Apple is under no obligation to let anyone develop for it. If you're going to embarrass and criticize Apple, they are under no obligation to let you do it on their iPhones and iPads (or Macs either, for that matter).

Re:What makes you think his "sentence" is ever up?

[zoward]

iOS is a walled garden. Apple is under no obligation to let anyone develop for it. If you're going to embarrass and criticize Apple, they are under no obligation to let you do it on their iPhones and iPads (or Macs either, for that matter).

On the flip side, he make both Apple and the public aware of the exploits he finds. I'd rather Apple get a black eye over this than have the exploits remain out there where someone nefarious can find them and sell them to an eastern European cartel.

Re:What makes you think his "sentence" is ever up?

[alen]

there is no NFC on the iphone now, nothing has been announced for iOS 6 and it's only a rumor for the next iphone

how is he going to embarrass apple since they only have a few patents for NFC. and that's only because apple patents everything, even tech they don't end up using.

if anything he's going to embarrass google since they are pushing NFC and google wallet

Re:What makes you think his "sentence" is ever up?

[angel'o'sphere]

Well those compariosions of Dells versus HP versus Apple make no sense to em at all.
If you don't want to run Mac OS X you are likely better off with a non Apple having the specs you want.
If you want to run Mac OS X you are likely better of running it on a Mac.
Why should I get a Mac to run Linux or Windows on it? Why should I get a Dell or HP to run Mac OS X on it???

Re:What makes you think his "sentence" is ever up?

[andydread]

Oh, and no Apple product cost twice what it should, they are comparable in price to any business-class Dell or HP. There is no 500GB HD for $200, so you are just a filthy fucking liar trying to spread propaganda which you can't back up.

They recently listed a 640 GB for $199

They list a 4GB ECC 1333 DIMM module for $150
Newegg has a 8GB ECC 1333 DIMM module for $68

So from where I sit it looks like Apple products cost twice what they should. .... just saying.

Re:What makes you think his "sentence" is ever up?

[MightyYar]

The only difference is my laptop is not ultra-thin, which is unimportant to me.

You nailed it... much cheaper to make a heavy/large notebook. The HP/Dell/Lenovo models with same size, weight, and battery specs as the Apples are +/- 10% in cost, depending what part of the product cycles you are in. And Apple hardly ever has sales - though Amazon can often save you $100 bucks.

Re:What makes you think his "sentence" is ever up?

[Gr8Apes]

So, let's start with the cheapest laptop Apple makes, the 13 inch MBP - i5 with HD4000 graphics and 4GB RAM, 500GB drive at $1199.

Dell - no similar laptop, even their $1800 or so Lattitude only has HD3000 graphics, they're all 2nd gen i5 processors.

HP has two at first look: $999 model and a $1399 model. Reviewing the specs, however, show that these are actually competitors to the 13" Mac Air, at $1199 which weighs less and comes with better confirmed battery life than HP posted. So, HP is also appears to be out in most comparisons, although they might have a slightly less expensive Air model. I didn't look deep enough to figure out exactly what the differences between their $999 and $1399 models were, nor how they compare exactly with the Mac Air. I just gave them the benefit of the doubt and stated they were mostly comparable, and dropped the issue of screen resolution differences (HP is wider, but shorter than the Mac Air, but not enough to belabor over in this comparison)

I didn't bother to look any further - I think the above speaks for itself across 2 product comparisons and continues to support what I found a year ago when matching 15" laptops. There is little, if any, "Apple tax" on the surface, and none when looking at what comes with the system as a whole, at least for a large portion of their products.

Re:What makes you think his "sentence" is ever up?

[ogdenk]

iOS is a walled garden. Apple is under no obligation to let anyone develop for it. If you're going to embarrass and criticize Apple, they are under no obligation to let you do it on their iPhones and iPads (or Macs either, for that matter).

1.) It's *MY* iPhone. Not Apple's. I bought it. If they don't like that they can stop selling hardware to end users.

2.) I'll write whatever code I feel like, distribute it and talk smack all I want and they can't do dick about it. Just because they invented the walled garden doesn't mean they get to rewrite copyright law and assert control of something I bought. Just like they can't stop me from building a hackintosh. Locking people out for helping you secure your devices is asinine and childish.

Re:What makes you think his "sentence" is down?

[dutchwhizzman]

As if he couldn't get someone else to proxy for him already. If apple keeps him away and he finds something worth while, he'll find someone else that is willing to front for him and just submit another app to prove his point. Keeping people out is useless, they should be thankful for someone to hilight their security flaws, even if it's bad publicity for them at that moment. Not exposing it and letting someone commit a serious crime on a large scale will hurt Apple more than having someone expose it.

Dear Apple:

[circletimessquare]

The guy is providing you with research and development, for free.

Hire him, you blind idiots.

You'd prefer this hack had been quietly discovered in the wild by somebody who isn't so upfront with the techniques? And then deal with the cost and PR fiasco of violated iPhone users?

Wake up, Apple HQ morons.

Your wallet product is being hardened against exploit, for FREE, and you punish the guy for it.

Re:Dear Apple:

[sideslash]

I have to admit a little bit of schadenfreude at watching Apple gradually lose their reputation for having secure devices. If they didn't have such an arrogant and offensive attitude about the whole thing, it would be easier to sympathize.

Re:Dear Apple:

[Kenja]

Why hire someone willing to work for free?

Re:Dear Apple:

[CanHasDIY]

"The guy is providing you with research and development, for free."

Umm, if the guy is already doing it for free, why hire him? :)

Because if they don't, someone else will, and that someone else doesn't care nearly as much about Apple's image as Apple does.

Re:Dear Apple:

[jo_ham]

What hack is that exactly?

There is no NFC hardware in the iPhone at present.

As to being "idiots", I'm not sure how you arrive at that conclusion. Charlie has a flair for the dramatic and a clear skill at finding holes, sure, but he also antagonises those who (presumably) he is trying to impress (assuming his aim is to be financially rewarded for his work, which I don't think it is).

There are better ways than very publicly violating the terms of your developer agreement and then expecting to get hired. If Apple *did* hire him after that, what does that say for the credibility of their developer agreements? Who would be the "blind idiot" then?

No wonder Apple hates him

[sandytaru]

He's one of the guys that proved Apple isn't so unhackable and "immune to viruses" after all. He does have a point that NFC technology is too new to know whether it's safe, and honestly, I'm glad someone like him is on the case to determine just how exploitable it is. I've already had my bank account cleaned out once because of a hack into a store's debit card system.

Re:No wonder Apple hates him

[sideslash]

He proved there could be other malware apps like his successfully submitted and now lurking on the official App Store. So what was your point again?

The Dangers of NFC

[6031769]

Essentially with NFC you have this card/phone in your pocket which all day long is saying to every other device it meets, "Hey, are you an EPoS terminal? I'd really like to pay for something, now!". It is not clear to me why the dangers of this need to be demonstrated, least of all to delegates at BlackHat.

Re:The Dangers of NFC

[pnutjam]

And phone companies have a long history of being nothing but trustworthy, it's why they consistently the most loved companies in consumer surveys.

Article submitter's an idiot

1) Apple phones don't have NFC chips in them so Charlie Miller cannot be "exposing them"

2) Charlie Millier will be exposing security problems of NFC with Android phones.

3) Charlie Miller is also Google's nemesis and has exposed how silly Android security testing is:

http://www.darkreading.com/vulnerability-management/167901026/security/client-security/240003490/apple-ban-gives-miller-time-to-hack-other-things.html

4) timothy seems to have an axe to grind against Apple so he's submitting these idiotic articles lately. It's he, however, that looks stupid as a result.

Re:Article submitter's an idiot

[MagicM]

Apple phones don't have NFC chips in them

Apparently there is some evidence that the next generation iPhones will have NFC chips in them.

Re:What makes you think his "sentence" is down?

Oh Apple is fully within its rights, aside from the breach of fiduciary responsibility. Smart companies pay people like this for their services. Smarter ones give them a free tshirt and work for free. Stupid ones attempt to censor and really stupid ones prosecute.

Faraday Wallet How -to anyone??

[RobertLTux]

Does anybody have a good set of instructions on how to make a Faraday Cage wallet?? (note not how to buy said wallet or something on a split between 64 pages so we can get ad income for 64 page views thing like instructables)

Re:Faraday Wallet How -to anyone??

[Greyfox]

Maybe make a duck tape wallet but add some layers of that copper fabric Adam used in the "Gun to a knife fight" episode of Mythbusters? You'd just need to make sure the copper completely surrounds your cash, cards, passport or phone. I think a good way to test it would be to turn on wlan on the phone, connect to your local router and then slap that sucker in the wallet and see if the router can still find its mac address.

RPI Polymath has some instructions on making a duck tape wallet. For the copper fabric maybe just use a 2 side tape out the outermost skin and then tape the fabric to that. Make the fabric a bit longer all the way around so you can sew a metal zipper in. I'm not sure how well it would work, so definitely test it afterwards.

Re:What makes you think his "sentence" is down?

[DJRumpy]

How are they censoring him? He uploaded an exploit into the App Store. If he wanted to bring attention to it, all he had to do was to contact Apple or put something on the net. Instead he violated the terms of use and his developer agreement and uploaded said exploit instead.

Re:Just iOS or NFC itself

[MachineShedFred]

I doubt it's specific to iOS, as there are exactly zero iOS devices with NFC, and there is zero exposed support for NFC in either the production iOS 5.x, or the beta of 6.x.

NFC and Payments

[__aajwxe560]

So there I am standing at the gas station yesterday, and I catch a quick glimpse of one of those ad's on the TV screen offering to give you 5 cents off per gallon if you pay at the pump with NFC through your phone. I'm a bit amused by this as right next to it is a sign saying not to use your cell phone at the pump with a funny symbol of fire next to it. Curious as to the contrary suggestions, I look at the fine print of the NFC ad where it basically says "for your safety, you can only use this as a single pump" or basically trying to manage the risk by only using it briefly. This is somewhat funny as they can't seem to make up their mind as to whether is it safe, or isn't it?

Re:NFC and Payments

[Overzeetop]

Load 120-150lbs of a flammable liquid designed to explode at a low-to-moderate concentration in air into a container
Strap said container to a box loaded with 1-7 humans
Energize the entire chassis with a stored energy source capable of providing several hundred amperes of potential current flow
Accelerate several hundred of such boxes to 100+fps velocity separated by 3-6 feet
Take a second group and send them towards the first so the to groups pass no more than 3-6 feet apart.
Make no provision for automatic/active avoidance
????
(profit, I suggest, is not the likely outcome for any participants)

I rarely concern me self with using a cell phone around gas stations, given the otherwise ridiculous amount of risk which is involved in the operation of a vehicle.

Re:NFC and Payments

[Inda]

Then English version of Mythbusters (Brainiac?) tried to explode a cavavan using mobile phones and petrol. They filled the inside with vapour, added half a dozen mobile phones, and called them all at once.

Disapointing is the word. Nothing happened.

I've also seen a cigarette dropped into a glass full of petrol.

Disapointing again. Nothing happened.

Re:Wireless

[GameboyRMH]

Block, yes, spoof, no. Try spoofing a keyfile-secured SSH connection between a laptop and a wireless router.

Re:Reading comprehension is good for you

[jo_ham]

If you think that summary *isn't* a blatant swing at Apple, written to make Charlie's completely non-Apple-related NFC hacking look like something to do with Apple and the app store, then I have a bridge to sell you.

If we're jumping to conclusions about what this means for Apple when two of the three sentences specifically mention Apple and his link to them and the "ban" from the App Store for violating his dev agreement. If Apple, the App Store and iOS have nothing to with this then why is 66% of the summary dedicated to it?

The salient point appears to be that he will show something related to NFC hacking at a conference using a "smartphone". Interesting how the particular model of smartphone or the OS it runs is not mentioned, yet the other 66% of the summary heavily mentions Apple. Mmm. Seems legit.

Either way, we know it's not an iPhone or iOS since the iPhone doesn't have any NFC hardware in it, unless he managed to get his hands on the rumoured iPhone 5 prototype that might have it included but no one knows yet.

Comparable? I doubt it

[sjbe]

I ended up getting an HP laptop with all or better specs than a comparable Ibook and at less than half the cost.

Really? You found an HP that runs OS X? Also where is this "Ibook" you are referring to? Apple does not sell any laptop branded Ibook or IAnything for that matter. And very much doubt you found anything that is truly similar for "less than half the cost" once you include ALL the hardware including the case and the rest of it. I've compared ultrabooks running Windows from various vendors to Apple's offerings myself. While Apple certainly wasn't the cheapest they weren't a whole lot more expensive once you compared their stuff to the most similar stuff from HP and the rest.

The only difference is my laptop is not ultra-thin, which is unimportant to me.

So the hardware is not the same. If you don't like Apple's products that's fine. Nothing wrong with that. My own laptop is an Acer and it is excellent. But unless you compared extremely similar hardware you weren't doing a serious comparison.

Re:NFC "Danger"

[CanHasDIY]

having a gun on you doesn't keep your money safe.

No shit. Being properly trained and highly skilled in their use, however, is mighty effective.

Mostly correct - equally important to training is maintaining proper situational awareness. You can spend all the time you like practicing at the range, but unless you remain aware of your surroundings and the potential threats they may contain, all that training will be for naught.

The Wikipedia entry for John Cooper is quite informative to this end, as well as providing excellent information regarding proper handling and safety measures in regards to firearms.

When your choice of marks is A) a mean looking guy with a large pistol strapped to his side, or B) a scrawny dork with a cell-phone where his pistol should be, the path to take is obvious.

This is where concealed carry / strong castle laws come in handy - though the "scrawny dork" isn't openly carrying, that doesn't mean he's not carrying. The choice of marks is less obvious, and the smart criminal (i.e., the one who lives to crime another day) would cut his potential losses and walk away.