Episode 596: Johnny Mnemonic's Secret Door : Planet Money How one man stumbled into a flaw in Apple's operating system and found a way to hack into the phone you might have in your hands right now. The iPhone 5s.
NPR logo

Episode 596: Johnny Mnemonic's Secret Door

  • Download
  • <iframe src="https://www.npr.org/player/embed/376164768/376187777" width="100%" height="290" frameborder="0" scrolling="no" title="NPR embedded audio player">
  • Transcript
Episode 596: Johnny Mnemonic's Secret Door

Episode 596: Johnny Mnemonic's Secret Door

  • Download
  • <iframe src="https://www.npr.org/player/embed/376164768/376187777" width="100%" height="290" frameborder="0" scrolling="no" title="NPR embedded audio player">
  • Transcript

ZOE CHASE, BYLINE: Hey, PLANET MONEY listeners, NPR has a new show. It's called Invisibilia, and it is hosted by the very excellent Alix Spiegel and Lulu Miller. Alix is from This American Life and NPR. Lulu is from Radiolab. This show is so good. It's about the invisible forces that shape human behavior, and you can get it wherever you get your podcasts.

STEVE HENN, HOST:

Just so you know, this podcast includes some foul language. In the summer of 2013, the folks at Apple had some exciting news. They were going to release this whole new operating system for the iPhone - iOS 7. And Apple designers talked about this like it was a huge revolution.

(SOUNDBITE OF ADVERTISEMENT)

UNIDENTIFIED MAN: iOS 7 brings with it the most significant changes that we've made to the user interface.

HENN: Now for most users of the iPhone, this is one of those movements where you roll your eyes, cross your fingers, click that download button and just pray your email doesn't does appear. But for a certain segment of the world, this new operating system was a tremendous opportunity - hackers. Every time there's a big new thing - a new release of some software - an operating system, a browser, hackers start a race. Each new release is an opportunity for these people because there are these giant players who desperately want to find a flaw in these systems. And there's always a flaw - some mistake in the code, like a secret way to get inside. And these players want to find it first.

So obviously there are the criminals who want to get inside and be able to steal things, poke around. But that's just the beginning. There are foreign governments who want to break open these systems so they can spy on us. There's our government which pretty much wants the same thing. And of course, there's Apple. Apple is always racing to find flaws before anyone else does so it can fix them. So you have all these giant teams of programmers, hundreds of hackers for hire. And they're all hunting for the same thing. In this particular race, though, the race to hack iOS 7, the one who found that key flaw first was a loner - this tall, gangly guy who hasn't told his story to anyone until now.

JONATHAN STEWART: I don't want to be known as somebody who talks. But I'm just saying, you know, you came to me and asked if there's a market for this stuff. Absolutely there is.

HENN: Hello and welcome to PLANET MONEY. I'm Steve Henn. Today on the show, how one man stumbled into a flaw in Apple's operating system - a way to hack into the phone you might have in your hand right now - the iPhone 5s. It's a story about a million dollar deal, friendship, betrayal and an all-out race to hack the iPhone.

(SOUNDBITE OF SONG, "OUT OF MY SYSTEM")

JAMIE LIDELL: When I've got to go, I've got to go. And so I thought I'd let you know - gotta get this out of my system. Gotta get this out of my system.

HENN: I have a special guest hosting the show with me today - Aarti Shahani, our colleague at NPR who covers technology. Aarti, you were the first person to tell me about this guy, this loner who discovered this one particular flaw.

AARTI SHAHANI, HOST:

Yes. By day, the hacker calls himself Jonathan Stewart. He has a freelance job, a computer contractor. He says he's done work for Google and Microsoft. He has a family, lives in the Phoenix suburbs. I don't know what I expected when we visited him, but this was not it. It was big stucco houses, manicured lawns.

HENN: So this neighborhood sort of reminds me of the neighborhood in "Weeds," you know, all of the houses made of out of ticky-tacky.

SHAHANI: Is that a golf cart? (Laughter).

HENN: It is a golf cart. It's a golf cart with three kids on the back.

SHAHANI: Our hacker lives in suburban paradise.

HENN: Really.

HENN: Jonathan Stewart (ph) met us at the edge of his lawn - tall, skinny guy, 30 years old. He still dresses like a skater.

STEWART: You want to just go this way?

HENN: Sure.

SHAHANI: Nice place.

STEWART: Oh, thanks. You can just sit in here.

HENN: He has this Boston Terrier named Marley.

STEWART: You like new people, don't you?

SHAHANI: Do not bite my mic.

STEWART: Don't do that.

SHAHANI: Jonathan grew up as one of those computer savants. He knew how to get into any system. And he always thought of himself as one of these good guys. He still does. By day, he helps the largest companies in the world find bugs - security flaws.

HENN: But at night he would poke around on his own. At night he worked for himself and had a hacker name, an alter ego - Johnny Mnemonic. It's from the old science fiction story about a guy with a computer for a brain. At first, when Johnny found flaws in major software programs, he'd tell the company and help them fix it. But he got frustrated. He says lots of times these companies ignored him, didn't fix the problem or maybe just offered him a tiny token in payment.

STEWART: These are major companies employing the best developers in the world, and for years we got paid zilch, nothing, for finding these vulnerabilities and writing exploits for them. So - you know what? - it's kind of time to, like, get paid for your work. You know?

SHAHANI: If you find a flaw in a piece of software, there are a lot of other people who will pay for that information, especially if no one else knows about it. In fact, there's a specific term for this kind of information. It's called a zero-day hack. Zero as in it's been zero days since the rest of the world has known. No one knows, not even the guys who wrote the software.

HENN: Johnny Mnemonic started to make extra cash searching for these zero-days in his spare time. He'd make a few thousand dollars here or there selling this information. It's legal to just point out software flaws and sell them, even if Johnny never exactly knew for sure who the buyers were or how they were using the hacks. His million dollar discovery of this flaw in the iPhone started the same way - just like these other hacks.

STEWART: Yeah. I remember exactly where I was. I was actually in Redmond working...

SHAHANI: Back in those days, in 2013, Johnny was in Redmond, Washington, and he was working for Microsoft on a contract. So by day he'd clock in, and in the evenings he'd be sitting on a sofa, pouring over source code for Apple - the stuff that powered the MacBook and the iPhones.

STEWART: OK.

HENN: So in the green first.

STEWART: So this register is just a precursor to this. It means to store the structure pointer.

HENN: Johnny is reading from a black screen. It's just a mash of indecipherable characters, letters, numbers.

STEWART: It was indexing something.

HENN: This is the iPhone's operating system. And Johnny would sit on his couch in Redmond and just pour through this code all night. It's boring work.

SHAHANI: It's really boring work, kind of like those guys with the metal detectors who sweep through the beach, hunched over looking for treasure.

HENN: Yeah. It's crazy. And it's all about patience and persistence. And eventually Johnny finds his little gold coin.

STEWART: (Reading code) CD3_c *c= get c ).

SHAHANI: Johnny knew it. He'd seen it before. Every piece of software, even Apple's latest, fanciest stuff, is old school. It's cobbled together from other bits of software.

HENN: And that line - the line he just read - believe it or not was infamous back in the 90s for triggering what was called an indexing error. There it was, a vintage 1990s flaw, sitting in the middle of Apple's brand-new iPhone.

STEWART: I wanted to see if it was what I thought it was, you know?

SHAHANI: You play bugs the way I play 90s hip-hop.

STEWART: Yeah? (Laughter).

HENN: These operating systems are built like fortresses or jails. What Johnny had discovered was a secret door through just one wall. It was an important wall, a wall that separated the inner sanctum of Apple's system. But - and this is also important - he didn't have the key to open up that door. No one did.

SHAHANI: And that's kind of why Johnny didn't realize he was holding on to gold. He sat there on the couch, told a few friends about his discovery and thought that maybe somewhere down the line, down the road, he'd sell it for a few thousand bucks to someone who cared.

HENN: What Johnny didn't know was at that moment, there were a bunch of Chinese businessmen who had just offered a vast sum of money to the person who could find and open that door. Now I'm about to play you a phone call that was recorded. It's from around this time. The voice you're going to hear is a broker of sorts. This is a guy who hooks up hackers with people who want to buy their hacks. This guy's name is Ty.

(SOUNDBITE OF PHONE CONVERSATION)

TY: And the crazy part is when this shit pops off because it's going to pop off big, you already know mother fucker over here are going to know I had something to do with it. I'm just going to laugh. I'm going to play dumb. I don't know nothing.

SHAHANI: Ty had heard about Johnny's secret door because one of Johnny's own friends sold him out. And now that Ty knew, he approached one of the best digital lock pickers on the planet - a hacker known as Geohot, who's the guy on the other end of this phone call. And even if what he's saying makes no sense, just listen for the excitement in his voice.

(SOUNDBITE OF PHONE CONVERSATION)

GEOHOT: So you know, you talk about - there's a big difference between a vulnerability and an X-line. It's a nice vulnerability.

TY: Right.

GEOHOT: But, you know.

HENN: Here was the plan. Take Johnny's discovery, basically have Geohot make some keys that unlock that secret door, and then sell this as a package deal to the Chinese, one time only, the secret to taking over the iPhone.

(SOUNDBITE OF PHONE CONVERSATION)

TY: So it - I mean, listen, bro, it will be cool. We'll set it up. Matter fact, I'll shoot over to China. You shoot over there. Let them meet you. They'll fucking go ape nuts to meet Geohot. And, hey, how you doing? Blah, blah, blah.

HENN: Ty recorded this call for his Chinese buyers. Eventually, it leaked out online. And we verified who was on the call.

SHAHANI: The Chinese businessmen wanted the iPhone hack for a very specific reason. You know how the iPhone makes you go get your apps from the iPhone store - Apple takes a cut of everything, controls everything, it's Apple's money? Well, with this hack, that changes. The Chinese businessmen get the keys to break out of Apple's jail, to jailbreak, so to speak, the phone. And then they set up their own app store so that customers buy directly from them. The Chinese businessmen get the profits, not Apple.

HENN: And the Chinese businessmen were willing to pay a lot of money for this.

(SOUNDBITE OF PHONE CONVERSATION)

GEOHOT: OK, so let's make clear what the contract is.

TY: $300 - you want $350,000.

GEOHOT: Uh-huh.

HENN: $350,000 is just Geohot's cut. That's it. There is no discussion of giving the money to Johnny Mnemonic or his friend. These guys are going to keep the prize to themselves.

(SOUNDBITE OF PHONE CONVERSATION)

TY: How do you want the money sent? Directly to you? You want it sent to me? Me send to you?

GEOHOT: However it's going to appear the least...

TY: Well, listen, listen. We could do it like this because I do have the company. I'm paying you as a developer.

GEOHOT: Yeah, yeah, yeah, yeah.

TY: You follow me? My shit is 1,000 percent legitimate. It'll look good, nice paper trail.

HENN: So Ty and Geohot are already spending the money in their minds. And Johnny Mnemonic, he's back working his corporate gig; an office drone for higher. He has no idea this is going down.

SHAHANI: But remember, this is a race. And while these guys are joking around on tape, another group of hackers gets to the finish line first.

DAVID WONG: My name is David Wong. I go by planetbeing on the Internet. And I'm a member of the Evad3rs.

HENN: The Envad3rs; four guys spread across three continents who came up with a superhero-like name - the Evad3rs.

SHAHANI: They also heard about Johnny Mnemonic's secret door. And they cut a deal with a different group of Chinese businessmen with their own app store. That deal was for $1 million.

WONG: It was an incredible, life-changing amount of money. And, you know, I was really shocked. I was flabbergasted. I - you know.

HENN: When it comes to hacking the iPhone, David Wong is a rock star. His contact in China flew him and his entire team, all of the Evad3rs, to China all expenses paid.

WONG: There - it was pretty incredible for everyone.

HENN: The million-dollar hack.

SHAHANI: Here's the weird thing about the hacker world. While the race is on, everything is secret and opaque. No one wants to talk too much about money or how they get what they got or what code they're trying to crack. And if you talk too much, you can get burned.

HENN: David Wong says a guy Johnny knew who knew about Johnny's secret door sent it to the Evad3rs hoping that they all could work together. David says he turned him down, and then he never looked at it. And this is why you don't talk. Johnny's discovery was now worth hundreds of thousands dollars, and people were peddling it behind his back.

In the end, the Evad3rs won this race. They figured out how to jailbreak the iPhone 5s before anyone else. And remember, they had struck a deal with a Chinese company. And here's basically how the deal worked. When users in China downloaded their jailbreak, they would automatically download software for this Chinese app store. And now for a whole bunch of reasons that are really too complicated to get into, jailbreaking iPhones in China is incredibly common. So this hack was incredibly valuable.

App stores charge commission on every app they sell. Millions of people were downloading this jailbreak. So that's why this was a million-dollar hack. Now word of this hack began to spread on the Internet and on Twitter. And suddenly, everyone knew David Wong and the Evad3rs were responsible.

SHAHANI: And that's when Johnny Mnemonic found out. And the more he read, the madder he got. It was his secret door. He knew it, he recognized it. That old flaw from the '90s, it was his find.

STEWART: After I sort of found out the entire story from talking to, you know, other people, you know, then I put it together and, like - I was just kind of like - I felt used.

HENN: Used. Johnny had played it over in his head. He knows everything about code, but he didn't realize just how big and cutthroat the market for this hack was going to be. He never thought that one of his friends would turn on him, sell him out.

STEWART: And that's sort of how I fell into this little trap here, like, I didn't know the background of the, you know, certain individuals. You know, I was from a different scene. I just didn't know these people. Like, you know, you have to know everybody that you're working with. And I just, you know...

SHAHANI: What you're saying is that you trusted the wrong person.

STEWART: Yeah. I basically - yeah.

SHAHANI: This is the problem with quasi legal markets like this one. There are no rules, no watchdogs, no court system to protect your discovery. It's winner take all, you snooze you lose.

HENN: It's slowly changing, though, in ways you might not expect. Companies that make this stuff, this software, companies like Google and Facebook have woken up to the fact that this market in flaws exists. And they've decided since they can't kill it, they can control it, they can't stop it, they're going to join it.

These companies are beginning to pay real money to solo hackers like Johnny. That way they can get these flaws, find these holes and seal them up before someone turns the key. They write new versions of their software, release it to millions of phones, fix the bugs, and then of course that race to break in, it starts all over again.

(SOUNDBITE OF SONG, "OUT OF MY SYSTEM")

LIDELL: (Singing) My doctor told me I was not on a machine.

SHAHANI: One short epilogue about that million-dollar hack, the one that David Wong and his team tried to put together, well, it fell apart. After they made the deal with the Chinese, the hacker world exploded in anger. This new Chinese app store, it turns out, the one made possible by the secret door, it was filled with pirated software. And computer programmers were pissed.

WONG: It was a torrent. It was overwhelming. It made me feel really, really terrible. I don't know. They were just angry and yelling. And I didn't want to read most of it.

HENN: So David Wong and his team canceled their deal. They basically tanked that Chinese app store. And Wong says, he and his team never collected a dime.

(SOUNDBITE OF SONG, "OUT OF MY SYSTEM")

LIDELL: (Singing) The more I hear, the less I understand. Used to be so certain, now I'm not so sure.

HENN: We'd love to hear from you and hear what you think of today's show or other shows. You can reach us at planetmoney.com.

SHAHANI: We also want to let you know about NPR's newest show. It's called Invisibilia, and it debuts January 9 from the people who created This American Life and Radiolab. Subscribe to Invisibilia on iTunes now, and don't miss a single episode. Again, beginning January 9. We want to thank the producers Jess Jiang and Phia Bennin.

HENN: And I'd like to thank Uri Berliner who was kind enough to lend us Aarti for the show.

SHAHANI: I'm Aarti Shahani.

HENN: And I'm Steve Henn. Thanks for listening.

(SOUNDBITE OF SONG, "OUT OF MY SYSTEM")

LIDELL: (Singing) But before it's all over and done, I'm about to have me some fun. Got to get this out of my system. Got to get this out of my system. Got to get this out of my system. Got to get this out of my system. Yeah. I've got to, got to, got to...

Copyright © 2015 NPR. All rights reserved. Visit our website terms of use and permissions pages at www.npr.org for further information.

NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.