AMSTERDAM -- How long would it take a determined attacker to hack into Apple's iPhone device from scratch?
That was the intellectual challenge that drove a pair of Dutch researchers to start looking for an exploitable software vulnerability that would allow them to hijack the address book, photos, videos and browsing history from a fully patched iPhone 4S.
The hack, which netted a $30,000 cash prize at the mobile Pwn2Own contest here, exploited a WebKit vulnerability to launch a drive-by download when the target device simply surfs to a booby-trapped web site.
"It took about three weeks, starting from scratch, and we were only working on our private time," says Joost Pol (photo left), CEO of Certified Secure, a nine-person research outfit based in The Hague. Pol and his colleague Daan Keuper used code auditing techniques to ferret out the WebKit bug and then spent most of the three weeks chaining multiple clever techniques to get a "clean, working exploit."
"We really wanted to see how much time it would take a motivated attacker to do a clean attack against your iPhone. For me, that was the motivation. The easy part was finding the WebKit zero-day," Pol said in an interview.
"It was a basic vulnerability but we had to chain a lot of things together to write the exploit," Pol said, making it clear that the entire exploit only used a single zero-day bug to sidestep Apple's strict code signing requirements and the less restrictive MobileSafari sandbox.
Although the successful attack exposed the entire address book, photo/video database and browsing history, Pol and Keuper said they did not have access to the SMS or e-mail database. "Those are not accessible and they're also encrypted," Keuper explained.
The exploit itself took some jumping around. With the WebKit bug, which was not a use-after-free flaw, the researchers had to trigger a use-after-free scenario and then abuse that to trigger a memory overwrite. Once that was achieved, Pol and Keuper used that memory overwrite to cause a read/write gadget, which provided a means to read/write to the memory of the iPhone. "Once we got that, we created a new function to run in a loop and used JIT to execute the code without signing," Keuper explained.
It was a clever end-around Apple's code signing requirements and Pol described the entire exploit as "messing up the iPhone state internally in such a fashion that we got a lot of little bugs."
"We specifically chose this one because it was present in iOS 6 which means the new iPhone coming out today will be vulnerable to this attack," Pol said. Over the course of the research, Pol and Keuper tested the exploit on the iOS 6 GM (golden master) code and also confirmed that it worked on the iPad, iPhone 4, iPod touch (all previous versions).
Despite obliterating the security in Apple's most prized product, Pol and Keuper insists that the iPhone is the most secure mobile device available on the market. "It just shows how much you should trust valuable data on a mobile device. It took us three weeks, working from scratch, and the iPhone is the most advanced device in terms of security."
"Even the BlackBerry doesn't have all the security features that the iPhone has. For example, BlackBerry also uses WebKit but they use an ancient version. With code signing, the sandbox, ASLR and DEP, the iPhone is much, much harder to exploit," Pol said matter-of-factly.
He reckons that the Android platform is also "much better" than BlackBerry and said the decision to go after iPhone 4S at Pwn2Own was simply aimed at going after the harder target.
"We really wanted to show that it is possible, limited time, with limited resources, to exploit the hardest target. That's the big message. No one should be doing anything of value on their mobile phone," Pol said.
Pol said he never considered the value of the vulnerability and exploit on the open market. "We have a successful company so money is not our motivation. How much did we win? I don't even know for sure. We are not in the business of selling zero-days. That's boring."
"It's really about the research to make a fair, transparent and open message that a motivated attacker will always win."
During the Pwn2Own attack, Pol created a web site that included an amusing animation of the Certified Secure logo taking a bite of the Apple logo. The drive-by download attack did not crash the browser so the user was oblivious to the data being uploaded to the attacker's remote server. "If this is an attack in the wild, they could embed the exploit into an ad on a big advertising network and cause some major damage."
The duo destroyed the exploit immediately after the Pwn2Own hack. "We shredded it from our machine. The story ends here, we're not going to use this again. It's time to look for a new challenge," Pol said.
He provided the vulnerability and proof-of-concept code that demonstrates the risk to contest organizers at HP TippingPoint Zero Day Initiative (ZDI).
Pol also wanted to make a larger point about vulnerablity research and the way it is perceived in the industry. "You know, people think that these things are so hard to do, that it's only theoretical and that it's only Charlie Miller or Willem Pinckaers (previous Pwn2Own winners) capable of doing this. There are many people -- good and bad -- who can do this. It's important for people to understand, especially businesses, that mobile devices should never be used for important work."
"The CEO of a company should never be doing e-mail or anything of value on an iPhone or a BlackBerry. It's simple as that. There are a lot of people taking photos on their phones that they shouldn't be taking," Pol said, emphasising that a mass-attack using rigged ad networks could be incredibly dangerous.