Charlie Miller wins Pwn2Own again with iPhone 4 exploit
Summary: Charlie Miller kept his Pwn2Own winning streak intact with another successful hack of an Apple product.
VANCOUVER -- Charlie Miller kept his Pwn2Own winning streak intact with another successful hack of an Apple product.
Miller (right), renowned for his work breaking into MacBook machines with Safari vulnerabilities and exploits, took aim at Apple's iPhone device here, using a MobileSafari flaw to swipe the phone's address book.
Miller partnered with colleague Dion Blazakis from Independent Security Evaluators on the winning exploit.
The attack simply required that the target iPhone surfs to a rigged web site. On first attempt at the drive-by exploit, the iPhone browser crashed but once it was relaunched, Miller was able to hijack the entire address book.
[ SEE: Pwn2Own 2011: IE8 on Windows 7 hijacked with 3 vulnerabilities ]
In an interview with ZDNet, Miller said the attack works perfectly against an iPhone running iOS 4.2.1 but will fail against the newest iOS 4.3 update.Apple has quietly added ASLR (address space layout randomization) to iOS 4.3, a key mitigation that puts up an extra roadblock for hackers.
"If you update your iPhone today, the [MobileSafari] vulnerability is still there, but the exploit won't work. I'd have to bypass DEP and ASLR for this exploit to work," Miller said.
Miller's winning exploit used ROP (return oriented programming) techniques to bypass DEP.
This is not the first time Miller has successfully broken into a fully patched iPhone. In 2007, Miller exploited the new iPhone's Safari browser to launch code that read the log of SMS messages, the address book, the call history, and the voicemail data. Then in 2009, Miller teamed up with Colin Mulliner to exploit a memory corruption bug in the way the iPhone handles SMS messages.
[ SEE: Safari/MacBook first to fall at Pwn2Own 2011 ]
Over the years, Miller said the iPhone's security posture has improved significantly.
"The first one [in 2007] was really, really easy. They had nothing, no sandboxing. Everything was running as root. It was super easy. The SMS one [in 2009] was harder because of DEP but there were no sandbox issues because the process that controlled SMSes wasn't in a sandbox."
"As of 4.3, because of the new ASLR, it will be much harder," Miller added.
Miller and Blazakis won a $15,000 cash prize and kept the hijacked iPhone 4.
ALSO SEE:
- Pwn2Own 2011: On cue, Apple drops massive Safari, iOS patches
- Google Chrome gets last-minute bandaid before Pwn2Own
- Questions for Pwn2Own hacker Charlie Miller
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
Color me not surprised.
Wow, Charlie looks kind of tired
interesting, though, that Apple was rather quiet about adding ASLR in the latest update; wouldn't they want to broadcast that a little louder? Especially with the iPhone + Enterprise talk?
Also interesting is this article refers to the phone Charlie hacked as a fully patched iPhone, which it's not. From what I understand, iOS 4.3 is out, but the phone submitted to CanSecWest was turned in before the patch released, hence it was tested with 4.2?
is this not correct?
RE: Charlie Miller wins Pwn2Own again with iPhone 4 exploit
But that's exactly my point...this could go to Apple's credit
RE: Charlie Miller wins Pwn2Own again with iPhone 4 exploit
Wow! That is the greatest mind blowing distortion field that I have ever heard not come out of Charlie Sheen's mouth. Winning!!!
So Apple is a lagard in the deployment of ASLR and somehow that is a win? That Apple just now released their patch, yes 4.3 is a patch, after th event occurred and somehow that it is a win that it was not exploited. And, do not delude yourself, the 4.3 patch would have been equally exploited. After all, Apple is just now getting to things that Microsoft did years ago.
distortion field? not hardly.
I am by all means [i]not[/i] Apple fanboy, if anything I'm a linux fan.
I never said delaying 4.3 was a win for Apple, I didn't even imply that. What i said was if Apple had released 4.3 earlier, the phone submitted to CanSecWest wouldn't have had 4.2 on it.
And by Charlie Miller's own admission, the exploit he used wouldn't have work on 4.3: [i]?If you update your iPhone today, the [MobileSafari] vulnerability is still there, but the exploit won?t work. I?d have to bypass DEP and ASLR for this exploit to work,? Miller said.[/i]
As far as your statement: [i]"After all, Apple is just now getting to things that Microsoft did years ago."[/i] Really? I thought Win Pho 7 was released back in Sept, 2010? and, does it use ASLR?
Oh, unless you were talking MS' desktop o/s and comparing that to Apple phone o/s? What were saying about a distortion field?
Sheesh, these talkbacks have gotten so bad one can't even be fair and objective without getting called a delusional fanboy
RE: Charlie Miller wins Pwn2Own again with iPhone 4 exploit
Windows Mobile 6 has had ASLR. That came out in 2007. Windows XP, which is a decade old has ALSR.
And, yes, Charlie Miller, or someone else would have broken a 4.3 phone. Maybe not by that techinque, but by another. To imply that the 4.3 patch is somehow intrinsically secure misspeaks the truth. the 4.3 patch merely addresses some of these particular vulnerabilities.
No, actually...
XP never had nor has ASLR (unless you utilize a 3rd party HIDS product). ASLR wasn't introduced in Windows until Vista. XP [i]did[/i] have DEP, but wasn't released until SP2 in 2004.
However that's desktop o/s, we're talking phone o/s...
And I don't believe Windows Mo 6 has/had ASLR. Nothing I've read would indicate otherwise.
I would be interested if you could provide a link supporting your argument?
RE: Charlie Miller wins Pwn2Own again with iPhone 4 exploit
RE: Charlie Miller wins Pwn2Own again with iPhone 4 exploit
Its like when you have 10 errands to run you want to do the easy mindless ones first. work on the challenging one last in case you can't do it.
RE: Charlie Miller wins Pwn2Own again with iPhone 4 exploit
RE: Charlie Miller wins Pwn2Own again with iPhone 4 exploit
I'd say the assumption is that he hacked into an iPhone 4 running iOS 4.2.1 based on that statement.
RE: Charlie Miller wins Pwn2Own again with iPhone 4 exploit
Message has been deleted.
Forgot to read the article before this one?
And what do you suppose iOS uses, another WebKit based browser?
The exact same WebKit used in OS X 10.6.6 fully patched with Safari and Java, yet still got hacked in 5 seconds!!!
And you think iOS is different uh? As in better? Duh to the power 100!
[i]~~~~~~~~~~
Never underestimate the power of human stupidity.
~ Robert A. Heinlein[/i]
RE: Charlie Miller wins Pwn2Own again with iPhone 4 exploit
RE: Charlie Miller wins Pwn2Own again with iPhone 4 exploit
RE: Charlie Miller wins Pwn2Own again with iPhone 4 exploit
Thank you for your explanation.
Because of WindTard's comment, "...yet still got hacked in 5 seconds!!!..." I felt complelled to make my comment. My thinking is many folks forget the time it took to find then develop a workaround. They see 5 seconds then hang their hats on that.
Again, thank you for your response.
RE: Charlie Miller wins Pwn2Own again with iPhone 4 exploit
BBs used to be so expensive and a PITA without BES. Competition is good for all consumers!