Chop well

NSA - Super Hacker: "Nobody can guarantee that there are no back doors built into cell phones"

Super hacker: "Nobody can guarantee that there are no back doors built into cell phones"

Charlie Miller worked for the NSA. He hacked computers, iPhones and cars. He thinks it is good that Switzerland wants to launch an e-voting system.

Shortly after Apple launched the iPhone, Charlie Miller managed to hack it. But the American became world famous when he showed in 2014 that cars could also be hacked from afar. Together with his colleague Chris Valasek, he brought a Jeep Cherokee under control. For demonstration purposes, he cracked the car of a journalist from the technology magazine “Wired”, turned the radio to full volume, let the windshield wipers go crazy and finally turned off the engine on the highway. We met the “stunt hacker”, as the “Süddeutsche Zeitung” called him, not in the car, but in a café in Friborg. There he gave a lecture to the assembled Swiss IT elite.

How difficult would it be to hack me?

Charlie Miller: Probably not too difficult. But don't worry, I won't do it. I'm one of the good guys. (laughs) Also: I find it more exciting than hacking people to find vulnerabilities in codes written by well-known companies like Apple.

An e-voting system developed by Swiss Post is currently being tested in Switzerland. Hackers are encouraged to crack it.

I've heard of that. I think it's good that the Swiss Post has the system tested by hackers. But it doesn't go as far as necessary. As a hacker you have to register and adhere to conditions, for example you are not allowed to share the code with everyone. As if hackers with criminal interests were sticking to something. These are unnecessary restrictions that ultimately come at the expense of security.

The super hacker

Charlie Miller has won the hackers' Super Bowl, Pwn2own, several times. He discovered a number of vulnerabilities in various Apple products. Miller studied math and then worked for the NSA, Twitter, and Uber. The 46-year-old lives in St. Louis (USA). The interview was held in Friborg
the Swiss Cyber ​​Security Days. (RAS)

In the IT and hacker scene in particular, there are many who think that e-voting should not be allowed. Do you have any concerns?

I think e-voting is a good idea. That makes it easier for people to vote in an election. This can probably increase voter turnout. But you have to invest a lot in security. I am convinced that it is possible to develop a secure e-voting system.

But it won't be one hundred percent certain.

Basically anything can be hacked, it's just a matter of resources. But even the conventional system with ballot papers is not safe from election manipulation. I think that you can make e-voting at least as safe as a conventional voting system if you build in enough security and control mechanisms.

Would it make sense to use the blockchain technology, on which the crypto currency Bitcoin is based, for e-voting?

The blockchain has many advantages, it could also be used for e-voting. The difficulty, however, is to guarantee that with this technology, too, the state only learns how many votes each candidate has received, but not who voted for whom. Voting secrecy must also be preserved in the digital space.

Among the many things you hacked is a jeep. Was that a particular challenge?

Yes, my colleague Chris Valasek and I worked on it for around a year. We managed to get remote access to the audio system fairly quickly. We were able to change radio stations and regulate the volume. We were also soon able to regulate the air conditioning. But that wasn't enough for us, we wanted to take control of the whole vehicle.

How did that finally happen?

There is a computer unit that shields the brakes and controls from the audio system. We had to crack this. It took us at least six or seven months. Then it was a matter of figuring out which commands to send to activate the brakes or turn the steering wheel in one direction. That also succeeded.

Sounds pretty dangerous.

Yes, if a person with bad intentions could have done that, they could have gained power over an entire fleet of cars, causing pile-ups.

You didn't do that.

Of course not! We reported the error to the manufacturer. He had to call back 1.4 million vehicles and update the software. Because, unlike with computers or smartphones, there was no way to remotely play an update on the computers in the cars.

Do you see hacked cars as a big problem?

Thanks to our work, it got massively smaller. Not only Jeep manufacturer Chrysler has recognized that cars can be hacked and the software adapted accordingly, but also other manufacturers. We have created an awareness of this.

In contrast to conventional computers, no criminal hacker has apparently yet succeeded in controlling cars. Have we just been lucky so far?

It's more of a combination of different circumstances. First of all, it's really not easy to hack a car. If you want to harm someone, there are much easier ways than spending a year hacking your car. On the other hand, it is difficult to make money with it. It is much easier to gain access to someone's computer, to encrypt the hard drive with what is known as ransomware and thus blackmail them.

Wouldn't it be possible to develop ransomware for a car too? The car would not start moving until you paid the hacker a ransom.

That would be possible. But you would have to invest a year for this, maybe two hours for a computer. Ultimately, it's always a question of effort and income.

The longer cars become, the more autonomous they become. Self-driving cars seem like a matter of time. Does this make the problem worse?

Self-driving cars require more computer software and are connected, which makes them more prone to hacking. At the same time, the software is so central that the manufacturer is constantly improving it with updates. This is different from previous cars, where the software has not been changed since delivery. A computer that has not received an update in ten years is easy to hack. Ultimately, this also applies to cars.

Not only cars are connected to the grid, but also smart houses, factories and household appliances. We're talking about the Internet of Things. Does this pose new dangers for security?

When I started hacking, web browsers were still very easy to crack. Now you can hardly do that anymore. Then came the smartphones. At first they were relatively easy to crack. But with each loophole that was found and closed, that became more difficult. That will also be the case with the Internet of Things. We are currently seeing a lot of attacks on household appliances and other things that are connected to the network. That won't be the case in a few years.

You also worked for the NSA. What did you hack?

I worked for the NSA as a computer specialist for five years. That's all i can say

That is not much.

I can keep a secret.

Not everyone thinks that way. Edward Snowden ...

... the difference between Snowden and me is: I am free, he can no longer leave the house.

Thanks to Edward Snowden, the general public became aware of the power of the NSA. Did something come out that surprised you?

Yes, that the NSA is spying on its own citizens. We agents were always told not to do that. To hear that it was a lie was very disappointing.

The Chinese network supplier Huawei is playing an important role in expanding the mobile network to the new 5G standard. The USA calls for a boycott of the company on suspicion of espionage. Should Huawei Scare Us?

I do not know. But I think we should think about giving this company so much power. Blindly trusting Huawei would be wrong. In general, the following applies: Whenever you purchase products from a third-party company, you should check them carefully. Not much more can be done.

Manufacture all components yourself?

Not even the USA can do that. The routers that Cisco uses, for example, are made in China. It's not just about the network itself, but also about the devices. Almost all computers, tablets and smartphones are built in China - including those from Apple. Nobody can guarantee that there are no back doors installed.

You are considered to be the first person to manage to hack an iPhone. Is it safer now?

Yes, definitely. The iPhone is very safe. It is perhaps the safest device available in stores. That's because Apple controls the entire app ecosystem. You can't just download software for it on the free internet. The common hacker won't hack your iPhone. It is of course different with secret services.