Episode 596: Hacking The iPhone For Fun, Profit, And Maybe Espionage : Planet Money Wikileaks released documents listing the hacks the CIA uses to spy on people. So we revisit our story on hackers for hire: people hunting for flaws in your phone to sell to people, or even the CIA.
NPR logo

Episode 596: Hacking The iPhone For Fun, Profit, And Maybe Espionage

  • Download
  • <iframe src="https://www.npr.org/player/embed/519298871/519337269" width="100%" height="290" frameborder="0" scrolling="no" title="NPR embedded audio player">
  • Transcript
Episode 596: Hacking The iPhone For Fun, Profit, And Maybe Espionage

Episode 596: Hacking The iPhone For Fun, Profit, And Maybe Espionage

  • Download
  • <iframe src="https://www.npr.org/player/embed/519298871/519337269" width="100%" height="290" frameborder="0" scrolling="no" title="NPR embedded audio player">
  • Transcript


Hey, it's Robert Smith here. These days, as a reporter, you can never be too careful. And that's why here at PLANET MONEY, occasionally, we send messages using an encrypted messaging app called Signal. Now this bit of technology promises that no one can ever intercept or read your texts. But yesterday, I got a message on Signal (laughter) from a reporter friend, and the message said the CIA has figured out a way to read these messages.

Now, perhaps you saw this news too. WikiLeaks has released a bunch of stolen documents from the CIA. It is a list of hacks that the CIA uses to spy on people. And it turns out they can't actually break the encryption on apps like Signal, but they found a way around it, which is the CIA basically figured out how to get inside your phone and watch what you type, listen to what you say. In fact, they've also apparently hacked the Samsung voice-activated TV, so the CIA can listen in when you're talking in the room or yelling back at the TV.

Now, the documents don't reveal how the CIA cracked these systems, how they found the secret doors in your phone and your TV. Perhaps they have young people, you know, in a warehouse in Langley, Va., high on Red Bull, you know, hacking all night long. Or perhaps the CIA bought these hacks online because there is a booming marketplace for secret back doors into technology. And as soon as I read these news articles, I thought - oh, we did a story about just this very thing - about hackers for hire, about people who professionally - their job is to hunt for flaws in your smartphone and sell that knowledge to the highest bidder. The story focused on a loner, a single hacker, a tall, gangly guy who had never before told his story.


JONATHAN STEWART: I don't want to be known as somebody who talks. But I'm just saying, you know, you came to me and asked if there's a market for this stuff.


Right, right.

STEWART: Absolutely, there is.


SMITH: This show originally aired in 2015, but it literally allowed me to understand the news that is happening right now. So I will let the original host take it from here.


HENN: Hello and welcome to PLANET MONEY. I'm Steve Henn. Today on the show, how one man stumbled into a flaw in Apple's operating system, a way to hack into the phone you might have in your hand right now. It's a story about a million-dollar deal, friendship, betrayal and an all-out race to hack the iPhone.



I have a special guest hosting the show with me today, Aarti Shahani, our colleague at NPR who covers technology. Aarti, you were the first person to tell me about this guy, this loner who discovered this one particular flaw.

SHAHANI: Yes. By day, the hacker calls himself Jonathan Stewart. He has a freelance job, a computer contractor. He says he's done work for Google and Microsoft. He has a family, lives in the Phoenix suburbs. I don't know what I expected when we visited him, but this was not it. It was big, stucco houses, manicured lawns.

STEWART: So this neighborhood sort of reminds me of the neighborhood in "Weeds," you know, all the houses made out of ticky-tacky.

SHAHANI: Is that a golf cart?


STEWART: That is a golf cart. It's a golf cart with three kids on the back.

SHAHANI: Our hacker lives in suburban paradise.

HENN: Jonathan Stewart met us at the edge of his lawn. A tall, skinny guy, 30 years old. He still dresses like a skater.

SHAHANI: Hi - Aarti.

STEWART: Hi. Do you want to just go this way?

HENN: Sure.


SHAHANI: Nice place.

STEWART: Oh, thanks. We can just sit in here.


HENN: He just has this Boston Terrier named Marley (ph).


STEWART: You like new people, don't you?


SHAHANI: Do not bite my mic.

STEWART: ...Don't do that.

SHAHANI: Jonathan grew up as one of those computer savants. He knew how to get into any system. And he always thought of himself as one of these good guys - he still does. By day, he helps the largest companies in the world find bugs, security flaws.

HENN: But at night, he would poke around on his own. At night, he worked for himself and had a hacker name, an alter ego, Johnny Mnemonic. It's from the old science fiction story about a guy with a computer for a brain. At first, when Johnny found flaws in major software programs, he'd tell the company and help them fix it.

But he got frustrated. He says lots of times, these companies ignored him, didn't fix the problem or maybe just offered him a tiny token in payment.

STEWART: These are major companies employing the best developers in the world. And for years, we got paid zilch, nothing for finding these vulnerabilities and writing exploits for them. So - you know what? - kind of time to, like, get paid for your work, you know?

SHAHANI: If you find a flaw in a piece of software, there are a lot of other people who will pay for that information, especially if no one else knows about it. In fact, there's a specific term for this kind of information. It's called a zero-day hack. Zero, as in it's been zero days since the rest of the world has known. No one knows, not even the guys who wrote the software.

HENN: Johnny Mnemonic started to make extra cash searching for these zero days in his spare time. He'd make a few thousand dollars here or there selling this information. It's legal to just point out software flaws and sell them, even if Johnny never exactly knew for sure who the buyers were - or how they were using the hacks. His million-dollar discovery of this flaw in the iPhone started the same way, just like these other hacks.

STEWART: Yeah, I remember exactly where I was. I was actually in Redmond working...

SHAHANI: Back in those days, in 2013, Johnny was in Redmond, Wa., and he was working for Microsoft on a contract. So by day, he'd clock in. And in the evenings, he'd be sitting on a sofa poring over source code for Apple, the stuff that powered the MacBook and the iPhones.


HENN: So in the green first.

STEWART: So this register is just a precursor to this. It means to store this structure pointer.

HENN: Johnny's reading from a black screen. It's just a mash of indecipherable characters - letters, numbers.

STEWART: It was indexing something.

HENN: This is the iPhone's operating system. And Johnny would sit on his couch in Redmond and just pore through this code all night. It's boring work.

SHAHANI: It's really boring work, kind of like those guys with the metal detectors who sweep through the beach, hunched over, looking for treasure.

HENN: Yeah, it's crazy. And it's all about patience and persistence. And eventually, Johnny finds his little gold coin.

STEWART: C-D-3, underscore softC, space, star softC equals get softC, parens (ph)...

SHAHANI: Johnny knew it. He'd seen it before. Every piece of software, even Apple's latest, fanciest stuff is old school. It's cobbled together from other bits of software.

HENN: And that line, the line he just read, believe it or not, was infamous back in the '90s for triggering what was called an indexing error. There it was, a vintage 1990s flaw sitting in the middle of Apple's brand new iPhone.

STEWART: I wanted to see if it was what I thought it was, you know.

SHAHANI: You played bugs the way I play '90s hip-hop.



HENN: These operating systems are built like fortresses or jails. What Johnny had discovered was a secret door through just one wall. It was an important wall, a wall that separated the inner sanctum of Apple's system. But - and this is also important - he didn't have the key to open up that door. No one did.

SHAHANI: And that's kind of why Johnny didn't realize he was holding on to gold. He sat there on the couch, told a few friends about his discovery and thought that maybe somewhere down the line - down the road, he'd sell it for a few thousand bucks to someone who cared.

HENN: What Johnny didn't know was at that moment, there were a bunch of Chinese businessmen who had just offered a vast sum of money to the person who could find and open that door. Now, I'm about to play you a phone call that was recorded. It's from around this time. The voice you're going is a broker of sorts. This is a guy who hooks up hackers with people who want to buy their hacks. This guy's name is Ty (ph).


TY: (Laughter) And the crazy part is, when this shit pops off - 'cause it's going to pop off big - you already know motherfuckers over here are going to know I had something to do with it. I'm just going to laugh. I'm going to play dumb. I don't know nothing.

SHAHANI: Ty had heard about Johnny's secret door because one of Johnny's own friends sold him out. And now that Ty knew, he approached one of the best digital lock-pickers on the planet, a hacker known as Geohot, who's the guy on the other end of this phone call. And even if what he's saying makes no sense, just listen for the excitement in his voice.


GEOHOT: So, you know, you talk about - there's a big difference between a vulnerability and an exploit. It's a nice vulnerability.

TY: Right.

GEOHOT: But, you know...

HENN: Here was the plan - take Johnny's discovery, basically have Geohot make some keys that unlock that secret door and then sell this as a package deal to the Chinese. One time only, the secret to taking over the iPhone.


TY: So it - I mean - listen, bro, it'll be cool. We'll set it up. Matter of fact, I'll shoot over to China. You shoot over there. Let them meet you. They'll fucking go ape nuts to meet Geohot and - hey, how you doing, blah, blah, blah. We just came...

HENN: Ty recorded this call for his Chinese buyers. Eventually, it leaked out online. And we verified who was on the call.

SHAHANI: The Chinese businessmen wanted the iPhone hack for a very specific reason. You know how the iPhone makes you go get your apps from the iPhone store - apple takes a cut of everything, controls everything; it's Apple's money? Well, with this hack, that changes. The Chinese businessmen get the keys to break out of Apple's jail, to jailbreak, so to speak, the phone. And then they set up their own app store so that customers buy directly from them. The Chinese businessmen get the profits, not Apple.

HENN: And the Chinese businessmen were willing to pay a lot of money for this.


GEOHOT: So let's then - OK. make So let's make clear what the contract is.

TY: Three hundred - you want 350,000.

GEOHOT: Uh-huh.

HENN: Three hundred and fifty thousand dollars is just Geohot's cut. That's it. There is no discussion of giving the money to Johnny Mnemonic or his friend. These guys are going to keep the prize to themselves.


TY: How do you want the money sent - directly to you; you want it sent to me, me send to you?

GEOHOT: However it's going to appear the least...

TY: Well, listen. Listen. We could do it like this because I do have the company. I'm paying you as a developer.

GEOHOT: Yeah, yeah, yeah, yeah.

TY: You follow me? My shit is 1,000 percent legitimate. It'll look good - nice paper trail.

HENN: So Ty and Geohot are already spending the money in their minds. And Johnny Mnemonic - he's back working his corporate gig, an office drone for hire. He has no idea this is going down.

SHAHANI: But remember, this is a race. And while these guys are joking around on tape, another group of hackers gets to the finish line first.

DAVID WANG: My name is David Wang. I go by planetbeing on the internet, and I'm a member of the Evad3rs.

HENN: The Evad3rs, four guys spread across three continents who came up with a super hero-like name, the Evad3rs.

SHAHANI: They also heard about Johnny Mnemonic's secret door, and they cut a deal with a different group of Chinese businessmen with their own app store. That deal was for $1 million.

WANG: It was an incredible, life-changing amount of money. And, you know, I was really shocked. I was flabbergasted, you know?

HENN: When it comes to hacking the iPhone, David Wang is a rockstar. His contact in China flew him and his entire team, all the Evad3rs, to China, all expenses paid.

WANG: There - it was pretty incredible for everyone.

HENN: The million-dollar hack.

SHAHANI: Here's the weird thing about the hacker world. While the race is on, everything is secret and opaque. No one wants to talk too much about money or how they get what they got or what code they're trying to crack. And if you talk too much, you can get burned.

HENN: David Wang says a guy Johnny knew who knew about Johnny's secret door sent it to the Evad3rs, hoping that they all could work together. David says he turned him down and that he never looked at it. And this is why you don't talk. Johnny's discovery was now worth hundreds of thousands of dollars, and people were peddling it behind his back.

SHAHANI: In the end, the Evad3rs won this race. They figured out how to jailbreak the iPhone 5s before anyone else did. They could get around Apple's walls and use any software or any apps they wanted on the iPhone.

And remember, they'd struck a deal with a Chinese company. Here's basically how that deal worked. When users in China wanted to use apps that Apple doesn't approve of, they'd go and download this hack, this jailbreak, and that meant they'd automatically download the software for this Chinese company's app store. For a whole bunch of reasons we're not going to get into because it's complicated, jailbreaking phones in China is incredibly common, so this hack was incredibly valuable.

HENN: App stores charge commission on every app they sell. Millions of people were downloading this jailbreak. So that's why this was a million-dollar hack. Now, word of this hack began to spread on the internet and on Twitter. And suddenly, everyone knew David Wang and the Evad3rs were responsible.

SHAHANI: And that's when Johnny Mnemonic found out. And the more he read, the madder he got. It was his secret door. He knew it. He recognized it. That old flaw from the '90s - it was his find.

STEWART: After I sort of found out the entire story from talking to, you know, other people, you know, then I put it together. And, like - oh, just kind of like - I felt used.

HENN: Used. Johnny had played it over in his head. He knows everything about code, but he didn't realize just how big and cutthroat the market for this hack was going to be. He never thought that one of his friends would turn on him, sell him out.

STEWART: And that's sort of how I fell into this little trap here. Like, I didn't know the background of, you know, certain individuals. You know I was from a different scene. And I just didn't know these people. Like, you know, you have to know everybody that you're working with. And I just, you know...

SHAHANI: What you're saying is that you trusted the wrong person.

STEWART: Yeah, basically. Yeah.

SHAHANI: This is the problem with quasi-legal markets like this one. There are no rules, no watchdogs, no court system to protect your discovery. It's winner-take-all. You snooze, you lose.

HENN: It's slowly changing, though, in ways you might not expect. Companies that make this stuff, this software - companies like Google and Facebook - have woken up to the fact that this market in flaws exists. And they've decided since they can't kill it, they can't control it, they can't stop it, they're going to join it. These companies are beginning to pay real money to solo hackers like Johnny. That way, they can get these flaws, find these holes and seal them up before someone turns the key. They write new versions of their software, release it to millions of phones, fix the bugs. And then, of course, that race to break in, it starts all over again.


SHAHANI: One short epilogue about that million-dollar hack, the one that David Wang and his team tried to put together - well, it fell apart. After they made the deal with the Chinese, the hacker world exploded in anger. This new Chinese app store it turns out, the one made possible by the secret door, it was filled with pirated software, and computer programmers were pissed.

WANG: It was a torrent. It was overwhelming. It made me feel really, really terrible. I don't know. They were just angry and yelling, and I didn't want to read most of it.

HENN: So David Wang and his team canceled their deal. They basically tanked that Chinese app store. And Wang says he and his never collected a dime.


SMITH: This episode was originally recorded a few years ago. A quick update on what Johnny's been up to in just a sec.


SMITH: After the news came out this week about the CIA's tools to hack iPhones, we of course immediately thought - I wonder if Johnny's involved. So we tracked him down this week to see if he is still in the zero-day business and if he sold any to the CIA. He says he's working for a Fortune 100 company now. But he still does exploits on the side at night. And, he says, maybe they ended up with the CIA or maybe a company or maybe a foreign government. He really has no idea. The dealers he works with are anonymous.

This episode was originally produced by Jess Jiang and Phia Bennin. Today's version was produced by Elizabeth Kulas.

This month, NPR's collaborating with a bunch of other podcasts on a project called TryPod. So think about a podcast you really like. Think about someone you want to share it with. Think about someone who should try it podcasting. See, TryPod - and then let them know on social media. Tell us what you're recommend by using the hashtag TryPod, T-R-Y-P-O-D. Thanks for spreading the word.

I'm Robert Smith. Thanks for listening.

KELLY MCEVERS, BYLINE: Hey, everybody. I'm Kelly McEvers, host of NPR's Embedded. On March 9, we are back with our new episodes about police videos.


UNIDENTIFIED POLICE OFFICER #1: Shots fired, shots fired.

UNIDENTIFIED MAN #1: What did he do to deserve to be killed that night and shot so many times?

UNIDENTIFIED MAN #2: People see what they want to see. Almost no one can see those videos from a neutral perspective.

UNIDENTIFIED MAN #3: I was thinking - see the gun, see the gun. Don't kill him till you see the gun.

MCEVERS: Find Embedded on the NPR One app or at npr.org/podcasts.

Copyright © 2017 NPR. All rights reserved. Visit our website terms of use and permissions pages at www.npr.org for further information.

NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.