The infamous hacker George ‘geohot’ Hotz has been hired by Google. He’ll be joining a team aimed at securing the kind of vulnerabilities that Geohot is world famous at finding and exploiting to work on a large scale security initiative. Confirming the appointment on the Project Zero blog, aiming to help rid the world of Zero day exploits on the web.
Geohot has a long history in exploiting system vulnerabilities. First shooting to fame as the first person to unlock the then restricted original iPhone for use on other carriers. Doing so with an unbreakable hardware unlock.
When demoing this on YouTube, Geohot received offers of thousands of dollars for the handset. Including directly from Apple. According to Hotz’s blog, he traded his 2nd unlocked 8 GB iPhone to Terry Daidone, the founder of Certicell, for a Nissan 350Z and three 8 GB iPhones. Later being involved with jailbreak exploits blackra1n and limera1n.
Geohot then went on to find a hole in Sony’s PlayStation 3, decrypting the PS3 “root key” and posting it online. This allowed for the console to play ‘homebrew’ and pirated games, something Sony didn’t take laying down. They pursued legal action against Geohot for breaking the software license.
This pursuit inadvertently lead Sony to lose thousands of user’s personal data. After hacks by Anonymous and Lulzsec left the Sony PlayStation network down for several weeks. Sony later backed down providing Hotz didn’t try to hack any Sony equipment again.
After a very brief stint working for Facebook, more recently Geohot has be quiet. Other than releasing his ‘Towel Root’ exploit, which enabled root access to the previously unhackable Galaxy s5 and Note 3 for AT&T and Verizon. All from a one click application available for download, while collecting a huge bounty from XDA developers in the process.
Project Zero (day)
Termed Project Zero, there is a major push to find vulnerabilities in online software then highlight these to the software developers. Aiding in plugging a hole that could enable sensitive data to be accessed. These vulnerabilities are referred to as ‘zero day’ or ‘0day’, and they apply to any highlighted security hole used to gain unauthorized access. Called zero day because the developer has 0days to fix the issues, as in right now!
“You should be able to use the web without fear that a criminal or state-sponsored actor is exploiting software bugs to infect your computer, steal secrets or monitor your communications, Yet in sophisticated attacks, we see the use of ‘zero-day’ vulnerabilities to target, for example, human rights activists or to conduct industrial espionage. This needs to stop. We think more can be done to tackle this problem” wrote Evans.
Such attacks are not only used by criminals to gain sensitive data, they are also used by security agencies to track and monitor individuals and business. Once an exploit had been accessed, the server can be completely taken over by an attacker. They could then monitor any data on the server. Able to delete, copy or transfer the information at will.
What do you think of Geohot working for Google? Let us know in the comments below, or on Google+, Facebook, or Twitter.Source: Google Project Zero Blog