Charlie Miller wins Pwn2Own again with iPhone 4 exploit

Charlie Miller wins Pwn2Own again with iPhone 4 exploit

Summary: Charlie Miller kept his Pwn2Own winning streak intact with another successful hack of an Apple product.

SHARE:
52

VANCOUVER -- Charlie Miller kept his Pwn2Own winning streak intact with another successful hack of an Apple product.

Miller (right), renowned for his work breaking into MacBook machines with Safari vulnerabilities and exploits, took aim at Apple's iPhone device here, using a MobileSafari flaw to swipe the phone's address book.

Miller partnered with colleague Dion Blazakis from Independent Security Evaluators on the winning exploit.

The attack simply required that the target iPhone surfs to a rigged web site.  On first attempt at the drive-by exploit, the iPhone browser crashed but once it was relaunched, Miller was able to hijack the entire address book.

[ SEE: Pwn2Own 2011: IE8 on Windows 7 hijacked with 3 vulnerabilities ]

In an interview with ZDNet, Miller said the attack works perfectly against an iPhone running iOS 4.2.1 but will fail against the newest iOS 4.3 update.

Apple has quietly added ASLR (address space layout randomization) to iOS 4.3, a key mitigation that puts up an extra roadblock for hackers.

"If you update your iPhone today, the [MobileSafari] vulnerability is still there, but the exploit won't work. I'd have to bypass DEP and ASLR for this exploit to work," Miller said.follow Ryan Naraine on twitter

Miller's winning exploit used ROP (return oriented programming) techniques to bypass DEP.

This is not the first time Miller has successfully broken into a fully patched iPhone.  In 2007, Miller exploited the new iPhone's Safari browser to launch code that read the log of SMS messages, the address book, the call history, and the voicemail data.  Then in 2009, Miller teamed up with Colin Mulliner to exploit a memory corruption bug in the way the iPhone handles SMS messages.

[ SEE: Safari/MacBook first to fall at Pwn2Own 2011 ]

Over the years, Miller said the iPhone's security posture has improved significantly.

"The first one [in 2007] was really, really easy.  They had nothing, no sandboxing.  Everything was running as root.  It was super easy.   The SMS one [in 2009] was harder because of DEP but there were no sandbox issues because the process that controlled SMSes wasn't in a sandbox."

"As of 4.3, because of the new ASLR, it will be much harder," Miller added.

Miller and Blazakis won a $15,000 cash prize and kept the hijacked iPhone 4.

ALSO SEE:

Topics: Laptops, Apple, Hardware, Mobility

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

52 comments
Log in or register to join the discussion
  • Color me not surprised.

    Not surprised at all.
    Hallowed are the Ori
  • Wow, Charlie looks kind of tired

    I thought they were trying Droid and BB phones too? or is that another day?

    interesting, though, that Apple was rather quiet about adding ASLR in the latest update; wouldn't they want to broadcast that a little louder? Especially with the iPhone + Enterprise talk?

    Also interesting is this article refers to the phone Charlie hacked as a fully patched iPhone, which it's not. From what I understand, iOS 4.3 is out, but the phone submitted to CanSecWest was turned in before the patch released, hence it was tested with 4.2?

    is this not correct?
    UrNotPayingAttention
    • RE: Charlie Miller wins Pwn2Own again with iPhone 4 exploit

      @chmod 777 sshh... please be quiet. you are disturbing Apple's reality distortion field. Everything is great,,,, everything is perfect,,,, no viruses,,, no malware,,, no flaws of any kind,,, snafu
      pupkin_z
      • But that's exactly my point...this could go to Apple's credit

        @pupkin_z <br><br>If Apple had released iOS 4.3 before they did, and the phone Charlie hacked was <i>really</i> fully patched, his exploit wouldn't have worked.<br><br>He admitted as much. I think implementing ASLR is a big jump for Apple and the iPhone; I don't understand why they would want an earlier version tested and/or why they aren't more vocal about implementing it in the o/s?<br><br>To save face? Yes, one could make the argument that "Apple is just now deploying ASLR to their phone o/s"...but what speaks stronger? That, or "Charlie Miller <i>not</i> being able to hack the phone, because it was running the latest update which implemented ASLR?"<br><br>I think Apple shot themselves in the foot on this one, waiting until the last minute. (And, trust me, I'm saying this as a <i>non</i>-fanboy. I've long questioned the security of the iOS devices as pertains to personal identity information.)<br><br>And...my question remains: How are Droid and BB going to fare?
        UrNotPayingAttention
      • RE: Charlie Miller wins Pwn2Own again with iPhone 4 exploit

        @chmod 777

        Wow! That is the greatest mind blowing distortion field that I have ever heard not come out of Charlie Sheen's mouth. Winning!!!

        So Apple is a lagard in the deployment of ASLR and somehow that is a win? That Apple just now released their patch, yes 4.3 is a patch, after th event occurred and somehow that it is a win that it was not exploited. And, do not delude yourself, the 4.3 patch would have been equally exploited. After all, Apple is just now getting to things that Microsoft did years ago.
        Your Non Advocate
      • distortion field? not hardly.

        @pupkin_z

        I am by all means [i]not[/i] Apple fanboy, if anything I'm a linux fan.

        I never said delaying 4.3 was a win for Apple, I didn't even imply that. What i said was if Apple had released 4.3 earlier, the phone submitted to CanSecWest wouldn't have had 4.2 on it.

        And by Charlie Miller's own admission, the exploit he used wouldn't have work on 4.3: [i]?If you update your iPhone today, the [MobileSafari] vulnerability is still there, but the exploit won?t work. I?d have to bypass DEP and ASLR for this exploit to work,? Miller said.[/i]

        As far as your statement: [i]"After all, Apple is just now getting to things that Microsoft did years ago."[/i] Really? I thought Win Pho 7 was released back in Sept, 2010? and, does it use ASLR?

        Oh, unless you were talking MS' desktop o/s and comparing that to Apple phone o/s? What were saying about a distortion field?

        Sheesh, these talkbacks have gotten so bad one can't even be fair and objective without getting called a delusional fanboy
        UrNotPayingAttention
      • RE: Charlie Miller wins Pwn2Own again with iPhone 4 exploit

        @chmod 777

        Windows Mobile 6 has had ASLR. That came out in 2007. Windows XP, which is a decade old has ALSR.

        And, yes, Charlie Miller, or someone else would have broken a 4.3 phone. Maybe not by that techinque, but by another. To imply that the 4.3 patch is somehow intrinsically secure misspeaks the truth. the 4.3 patch merely addresses some of these particular vulnerabilities.
        Your Non Advocate
      • No, actually...

        @pupkin_z

        XP never had nor has ASLR (unless you utilize a 3rd party HIDS product). ASLR wasn't introduced in Windows until Vista. XP [i]did[/i] have DEP, but wasn't released until SP2 in 2004.

        However that's desktop o/s, we're talking phone o/s...

        And I don't believe Windows Mo 6 has/had ASLR. Nothing I've read would indicate otherwise.

        I would be interested if you could provide a link supporting your argument?
        UrNotPayingAttention
      • RE: Charlie Miller wins Pwn2Own again with iPhone 4 exploit

        Bypassing ASLR is trickier, but not impossible. See Windows 7/IE 8 hack (and yes, Windows 7 does apply ASLR to IE 8, if that's what you're questioning)
        spacespeed
    • RE: Charlie Miller wins Pwn2Own again with iPhone 4 exploit

      @chmod 777

      Its like when you have 10 errands to run you want to do the easy mindless ones first. work on the challenging one last in case you can't do it.
      rengek
    • RE: Charlie Miller wins Pwn2Own again with iPhone 4 exploit

      @chmod 777 Blackberry was owned pretty easily as well...
      snoop0x7b
    • RE: Charlie Miller wins Pwn2Own again with iPhone 4 exploit

      @chmod 777 [b]In an interview with ZDNet, Miller said the attack works perfectly against an iPhone running iOS 4.2.1 but will fail against the newest iOS 4.3 update.[/b]

      I'd say the assumption is that he hacked into an iPhone 4 running iOS 4.2.1 based on that statement.
      athynz
    • RE: Charlie Miller wins Pwn2Own again with iPhone 4 exploit

      @chmod 777 no because they need to keep the illusion that their software isn't hackable and that there aren't any viruses or malware on any of their platforms.
      Jimster480
  • Message has been deleted.

    SonofaSailor
    • Forgot to read the article before this one?

      @SonofaSailor Crackberry was cracked a lot easier than the iPhone ..... and they did it without even using a debugger.
      wackoae
      • And what do you suppose iOS uses, another WebKit based browser?

        @wackoae The only reason BB got hacked was due to the open-source vulnerability present in the open source WebKit engine.

        The exact same WebKit used in OS X 10.6.6 fully patched with Safari and Java, yet still got hacked in 5 seconds!!!

        And you think iOS is different uh? As in better? Duh to the power 100!

        [i]~~~~~~~~~~
        Never underestimate the power of human stupidity.
        ~ Robert A. Heinlein[/i]
        WinTard
    • RE: Charlie Miller wins Pwn2Own again with iPhone 4 exploit

      @WinTard<br>It was not hacked in 5 seconds. It took many weeks to do it. When at the show it was their turn they did it in 5 seconds. No matter how good they are they will not be able to hack any device by picking it up then in 5 seconds hack it. It takes much time to figure how to get around the security. Then a rigged site was setup to test it on. Where is your 5 seconds?<br><br>Much the same as for weeks studying electrical schematics to find what be might causing an electrical glitch. When found and tested you then walk in turn one screw, fixed. Folks say 'oh wow you are good it took you 5 seconds to fix it'. Wrong, it took quite a while to find the fix, test the fix, then a few seconds to physically apply the fix it.
      BubbaJones_
      • RE: Charlie Miller wins Pwn2Own again with iPhone 4 exploit

        @RicD_ <br>Don't be confused by the length of time. You are right that it takes significantly more time to discover these bugs and devise exploits - - but we recognize such a quick exploit like this is significant because traditional brute force attacks might take minutes, hours, days and are not as worthwhile to hackers.
        joblak@...
      • RE: Charlie Miller wins Pwn2Own again with iPhone 4 exploit

        @oblak@
        Thank you for your explanation.

        Because of WindTard's comment, "...yet still got hacked in 5 seconds!!!..." I felt complelled to make my comment. My thinking is many folks forget the time it took to find then develop a workaround. They see 5 seconds then hang their hats on that.

        Again, thank you for your response.
        BubbaJones_
    • RE: Charlie Miller wins Pwn2Own again with iPhone 4 exploit

      @SonofaSailor You are deluding yourself if you think *any* device is uncrackable. It sounds like you are a salesperson for BB. Only someone intimately involved with BB would be so emotional involved to be this excited about one more exploit.

      BBs used to be so expensive and a PITA without BES. Competition is good for all consumers!
      zdnet-registraion