Finding, Selling Flaws In Apple's Code Can Be Lucrative Work

Jan 14, 2015
Originally published on February 20, 2015 2:44 pm

Every time there is a big new release of some Apple software or operating system, hackers get to work — finding a flaw in Apple's computer code can be very lucrative. Criminals and even governments are willing to pay top dollar for the ability to get inside our iPhones.

Copyright 2017 NPR. To see more, visit http://www.npr.org/.

AUDIE CORNISH, HOST:

In the first week of this year alone, Apple sold more than half a billion dollars in software - apps, actually through its store. For most folks who own an iPhone, the App Store is the only place to buy software for their device. In other words, Apple has created a monopoly. It takes 30 percent of every dollar spent, and it can do this because Apple locks every iPhone when it sells them. But it's possible to break out of Apple's jail. Steve Henn from NPR's Planet Money team brings us the story of three groups of hackers in a high-stakes race to do just that.

STEVE HENN, BYLINE: Every time Apple comes out with a new phone, hackers around the world go to work. The first one to find a way into the phone can sell that information - that hack - for a lot of money, especially if they can keep the deal secret.

JONATHAN STEWART: I don't want to be known as somebody who talks, but I'm just saying, you know, you came to me and asked if there's a market for this stuff. Absolutely there is.

HENN: This is Jonathan Stewart. Online he goes by the name Johnny Mnemonic. And I went to him because he was part of what became a legendary race to crack the iPhone back in 2013. To hear him tell the story, the actual caper was kind of dull. Johnny was sitting with a friend in an apartment in Redmond, Washington, on his couch pouring through computer code, and he found a bug.

STEWART: Register struck CD3_SoftC *SoftC=Get soft C (ph).

HENN: That bit of code opened a back door into the iPhone. In the past, when Johnny found a bug like this, he'd tell the company about it, help them fix it. But Johnny had gotten frustrated.

STEWART: These are major companies employing the best developers in the world. And for years we got paid zilch - nothing - for finding these vulnerabilities and writing exploits for them. So you know what? It's kind of time to, like, get paid for your work.

HENN: And there is a worldwide market for bugs. Criminals, foreign governments, spies - they're all willing to pay for this stuff. Often, it's legal to sell it, so Johnny was thinking about selling. But there was this other team of hackers doing the same thing, already planning how they could make a fortune from breaking into that same door. The tape I'm about to play is from a phone call made around this time. There are two voices on the tape. One is a hacker. The other is kind of a broker - a guy who puts these deals together.

(SOUNDBITE OF ARCHIVED RECORDING)

GEORGE HOTZ: Let's make clear what the contract is.

TY MANICA: You want 350,000.

HENN: The hacker is George Hotz. He goes by geohot, and he's famous in this world. The broker is a guy named Ty Manica, and Ty recorded the call. He had heard about that door Johnny had, and he knew some people who really wanted to hack the iPhone - huge tech companies in China that were gearing up to launch their own app stores. But for these stores to get off the ground, millions of Chinese iPhone users would have to break their phone out of Apple's jail. So here was the plan - take that back door Johnny had, sell it to the Chinese businessmen, cut Johnny out of the deal and split the profit.

(SOUNDBITE OF ARCHIVED RECORDING)

MANICA: Listen, bro. It'll be cool. We'll set it up. As a matter of fact, I'll shoot over to China, you shoot over there, let them meet you...

HENN: It's amazing to listen to this tape because it opens this window into the market for hacks. If a hacker finds a flaw, it could be incredibly valuable. But if word gets out, if he talks too much, it could be worth nothing. Someone else could use it. And the end of this whole story illustrates this perfectly because, as Johnny Mnemonic is trying to figure out what to do and these two guys on the phone planning are planning their trip to China, word spreads. And a third team beats everyone to the punch.

DAVID WANG: My name is David Wang. I go by planetbeing on the Internet, and I am a member of the evad3rs.

HENN: The evad3rs - a team of four guys spread across three continents who were offered a million dollars for the same hack, and they delivered.

WANG: You know, I was really shocked. I was flabbergasted.

HENN: It was an incredible, life-changing amount of money. They bragged about it online, and that's when Johnny Mnemonic found out that flaw in the iPhone he'd found was worth a million dollars to someone else.

STEWART: I put it together, and, like, I was just kind of, like - I felt used, you know?

HENN: And that is the thing about markets like this - no rules, no intellectual property protections. Even David Wang and the evad3rs ended up losing out. They got into a disagreement with their Chinese business partner about piracy and never collected a dime. Steve Henn, NPR news. Transcript provided by NPR, Copyright NPR.