Charlie Miller wins Pwn2Own again with iPhone 4 exploit

Summary:Charlie Miller kept his Pwn2Own winning streak intact with another successful hack of an Apple product.

VANCOUVER -- Charlie Miller kept his Pwn2Own winning streak intact with another successful hack of an Apple product.

Miller (right), renowned for his work breaking into MacBook machines with Safari vulnerabilities and exploits, took aim at Apple's iPhone device here, using a MobileSafari flaw to swipe the phone's address book.

Miller partnered with colleague Dion Blazakis from Independent Security Evaluators on the winning exploit.

The attack simply required that the target iPhone surfs to a rigged web site.  On first attempt at the drive-by exploit, the iPhone browser crashed but once it was relaunched, Miller was able to hijack the entire address book.

[ SEE: Pwn2Own 2011: IE8 on Windows 7 hijacked with 3 vulnerabilities ]

In an interview with ZDNet, Miller said the attack works perfectly against an iPhone running iOS 4.2.1 but will fail against the newest iOS 4.3 update.

Apple has quietly added ASLR (address space layout randomization) to iOS 4.3, a key mitigation that puts up an extra roadblock for hackers.

"If you update your iPhone today, the [MobileSafari] vulnerability is still there, but the exploit won't work. I'd have to bypass DEP and ASLR for this exploit to work," Miller said.

follow Ryan Naraine on twitter

Miller's winning exploit used ROP (return oriented programming) techniques to bypass DEP.

This is not the first time Miller has successfully broken into a fully patched iPhone.  In 2007, Miller exploited the new iPhone's Safari browser to launch code that read the log of SMS messages, the address book, the call history, and the voicemail data.  Then in 2009, Miller teamed up with Colin Mulliner to exploit a memory corruption bug in the way the iPhone handles SMS messages.

[ SEE: Safari/MacBook first to fall at Pwn2Own 2011 ]

Over the years, Miller said the iPhone's security posture has improved significantly.

"The first one [in 2007] was really, really easy.  They had nothing, no sandboxing.  Everything was running as root.  It was super easy.   The SMS one [in 2009] was harder because of DEP but there were no sandbox issues because the process that controlled SMSes wasn't in a sandbox."

"As of 4.3, because of the new ASLR, it will be much harder," Miller added.

Miller and Blazakis won a $15,000 cash prize and kept the hijacked iPhone 4.

ALSO SEE:

Topics: Laptops, Apple, Hardware, Mobility

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.