VANCOUVER -- Charlie Miller kept his Pwn2Own winning streak intact with another successful hack of an Apple product.
Miller (right), renowned for his work breaking into MacBook machines with Safari vulnerabilities and exploits, took aim at Apple's iPhone device here, using a MobileSafari flaw to swipe the phone's address book.
Miller partnered with colleague Dion Blazakis from Independent Security Evaluators on the winning exploit.
The attack simply required that the target iPhone surfs to a rigged web site. On first attempt at the drive-by exploit, the iPhone browser crashed but once it was relaunched, Miller was able to hijack the entire address book.newest iOS 4.3 update.
Apple has quietly added ASLR (address space layout randomization) to iOS 4.3, a key mitigation that puts up an extra roadblock for hackers.
Miller's winning exploit used ROP (return oriented programming) techniques to bypass DEP.
This is not the first time Miller has successfully broken into a fully patched iPhone. In 2007, Miller exploited the new iPhone's Safari browser to launch code that read the log of SMS messages, the address book, the call history, and the voicemail data. Then in 2009, Miller teamed up with Colin Mulliner to exploit a memory corruption bug in the way the iPhone handles SMS messages.
Over the years, Miller said the iPhone's security posture has improved significantly.
"The first one [in 2007] was really, really easy. They had nothing, no sandboxing. Everything was running as root. It was super easy. The SMS one [in 2009] was harder because of DEP but there were no sandbox issues because the process that controlled SMSes wasn't in a sandbox."
"As of 4.3, because of the new ASLR, it will be much harder," Miller added.
Miller and Blazakis won a $15,000 cash prize and kept the hijacked iPhone 4.
- Pwn2Own 2011: On cue, Apple drops massive Safari, iOS patches
- Google Chrome gets last-minute bandaid before Pwn2Own
- Questions for Pwn2Own hacker Charlie Miller