Q&A with Charlie Miller on hacking the T-Mobile G1 phone with Google Android software

Charlie Miller has another notch in his belt. The security researcher at Independent Security Evaluators headed a team that hacked Google’s Android software, which debuted last week on the T-Mobile G1 cell phone. Miller, Mark Daniel and Jake Honoroff were able to hack the G1 and compromise its web browser just days after sales began. Miller notified Google of the vulnerability, but also told the press because of his concern that users were vulnerable. Miller has performed a number of hacks before, including cracking the Apple Leopard operating system, Second Life, the MacBook Air, and the iPhone. Google and T-Mobile say that the risk to consumers is low and that they’re working on a patch to fix the security hole.

VB: Is the vulnerability serious if they don’t fix it?

CM: It’s serious. Until they dominate the marketplace, there isn’t likely to be a huge wave of bad guys targeting this phone. If I have an Android phone, and a bad guy is targeting me, this is the way for them to do that.

VB: So you’ve done Google a favor here?

CM: I think so. They should be happy.

VB: How did you start thinking about how to hack the Android software?

CM: Android has had a software development kit out for a while. And it has an emulator. The emulator acts just like a phone would. We have been looking at that for a while. It’s been a long time. We are interested in mobile security. We thought it would be bigger than it was, like the iPhone. We poked around and found this bug in the SDK. It wasn’t obvious because they don’t update the SDK very often.

VB: How long did it take you to find it?

CM: I found it in an early version instantly. I hadn’t checked the most recent version for the sake of time. It wasn’t obvious the bug would wind up in the real phone just because it was in the SDK. I thought they would fix it.

VB: There were 80 different components from open-source software and they just didn’t update all of that to include all the bug fixes?

CM: That’s what the Google guy told me. They have all of these components. What they did wrong was that they had a version of the open-source software that had a bug.

VB: You haven’t described it fully yet?

CM: I was waiting until Google came up with a bug fix.

VB: When you hacked the Apple Leopard operating system, you had some restrictions on what you could say.

CM: I never signed a non-disclosure agreement. Before, with the iPhone, I told them that I would talk about their vulnerability at the Black Hat conference, so they had to fix it by then. And they did. With Leopard, the software wasn’t released. I had to sign an NDA to get it. I couldn’t talk about the bugs I found until they released Leopard.

VB: What’s Google’s history been like as far as dealing with people who are trying to hack their software?

CM: My encounter with them has not been pleasant. They sent a message out to the research community back in March and asked everyone to look at Android. Please find bugs. Report them. They wanted our help.

VB: And you helped them out.

CM: It turned out they weren’t so happy when we actually did it.

VB: They wanted more time before you went public with it?

CM: They wanted me not to say anything until the fix was ready. That’s reasonable on their side. But my feeling was that if people were spending bucks on the phone, and they are using it, they have a right to know if there is a problem. It doesn’t do any good if I am the only one that knows.

VB: The exposure to the consumers started on the day T-Mobile started selling the phones.

CM: Exactly. I wasn’t going to share all the details. Bad guys can’t use that information to their advantage, but consumers can act accordingly.

VB: Is it possible that, from what you’ve said, bad hackers could figure out how to exploit the vulnerability?

CM: It’s certainly possible. Nothing has indicated that anyone has figured it out. I’m sure they will.

VB: How much have you described it?

CM: It’s a problem with a browser. It’s a buffer overflow. If you can get them to go to a malicious web site, then you can run code on their machine as the browser. From that description, it’s exactly just like the iPhone hack that we did. The part I’m leaving out is the technical description of what is different. Web browsers are complicated. They have a lot of code. There are a lot of bugs in there.

VB: You’re making a name for yourself hacking the biggest tech gadgets that come out.

CM: Guys like me think it’s fun to play with the latest gadget. Sometimes I get lucky and find bugs. Sometimes I don’t.

VB: Have you got some feedback on how Google can fix this one?

CM: It’s easy to fix because all Google has to do is update the software with the latest open-source patches. The hard part is getting it to people’s phones. Google can apparently do that by having users download files with a fix. And T-Mobile will likely have an over-the-air update that sends it to users’ phones. It could take a while for Google and T-Mobile to get on the same page.

VB: Google mentioned they took a sandbox approach to Android.

CM: With the iPhone, if you took over the browser, you could do anything on the phone. You could read email, dial the phone, send a text message or whatever you want. On Android, every application is its own user. They have their own files and permissions. I can run code as the user’s browser. I can do what the browser can do when I take it over, like read passwords. But I can’t read the email, I can’t dial the phone, and I can’t send text messages. That’s really good. That’s exactly what I told Apple to do earlier. I’m not saying Google paid attention to me.

VB: Now the Android Marketplace is set up so that anyone can upload software to the market for a $30 fee. That sounds a little scary, in terms of security.

CM: It is a little scary. But if you look at the way that the applications run, it’s not. The only applications you can run are Java applications. They run inside the Java sandbox. If the hackers create a program that wants to do something like access contacts, it can’t do it just like that. The Android software will ask the user if they really want to allow that. You can say no, forget it. The apps that run on the iPhone are pure, native applications. But those running on Android are Java apps.

VB: It sounds like one of the vulnerabilities of the computer-like mobile phones is that they inherit the vulnerabilities of computers.

CM: That’s why I started getting into security for mobile devices. People are scared of computers. They know that they should have anti-virus protection. They know they shouldn’t click on strange links or emails. They forget to do that with their phones. On older phones, nothing bad could happen. Psychologically, people haven’t quite caught up with the fact that phones are vulnerable. I like to point that out.

VB: Is this helping your business to do all of these famous hacks?

CM: I don’t know if it helps the business side. If I don’t have anything to do for a client, this is what I like to do. It’s like a lawyer doing pro bono work. Everybody wins.