Pwn2Own 2010: iPhone hacked, SMS database hijacked

Pwn2Own 2010: iPhone hacked, SMS database hijacked

Summary: Using an exploit against a previously unknown vulnerability, the duo -- Vincenzo Iozzo and Ralf Philipp Weinmann -- lured the target iPhone to a rigged Web site and exfiltrated the SMS database in about 20 seconds.

SHARE:

VANCOUVER, BC -- A pair of European researchers used the spotlight of the CanSecWest Pwn2Own hacking contest here to break into a fully patched iPhone and hijack the entire SMS database, including text messages that had already been deleted.

[ ALSO SEE: Pwn2Own MacBook attack: Charlie Miller hacks Safari again ]

Using an exploit against a previously unknown vulnerability, the duo -- Vincenzo Iozzo and Ralf Philipp Weinmann -- lured the target iPhone to a rigged Web site and exfiltrated the SMS database in about 20 seconds.follow Ryan Naraine on twitter

The exploit crashed the iPhone's browser session but Weinmann said that, with some additional effort, he could have a successful attack with the browser running.

"Basically, every page that the user visits on our [rigged] site will grab the SMS database and upload it to a server we control," Weinmann explained.  Iozzo, who had flight problems, was not on hand to enjoy the glory of being the first to hijack an iPhone at the Pwn2Own challenge.

Weinmann, a 32-year-old from the University of Luxembourg, collaborated with Iozzo (a 22-year-old Italian researcher from Zynamics) on the entire process -- from finding the vulnerability to writing the exploit. The entire process took about two weeks, Weinmann said.

[ ALSO SEE: Hacker exploits IE8 on Windows 7 to win Pwn2Own ]

Halvar Flake, a renowned security researcher who assisted with the winning exploit, said the biggest hiccup was bypassing the code-signing mitigation implemented by Apple on its flagship mobile device.

"This exploit doesn't get out of the iPhone sandbox," Flake explained, noting that an attacker can do enough damage without escaping from the sandbox.

"Apple has pretty good counter-measures but they are clearly not enough.  The way they implement code-signing is too lenient," Flake added.

On the Zynamics blog, Flake celebrated:

The payload used chained return-into-libc (“return oriented programming”) on ARM to execute in spite of code signing. As far as we know, this is the first public demonstration of chainged return-into-libc on thre ARM platform.

In addition to hijacking the SMS database, Weinmann said the winning Pwn2Own exploit could have exfiltrated the phone contact list, the email database, photographs and iTunes music files.

In the iPhone sandbox, Weinmann said there's a non-root user called 'mobile' with certain user privileges.  "With this exploit, I can do anything that 'mobile' can do."

Weinmann declined to publicly discuss the techniques he used to find the vulnerability.  "We're working on developing techniques to find a certain class of vulnerabilities.  I don't want to discuss it too much."

Aaron Portnoy, a security researcher at TippingPoint Zero Day Initiative (the company sponsoring Pwn2Own), described the attack as "very impressive."

"It was a real world exploit against a popular device. They exfiltrated the entire SMS database in about 20 seconds. It was as if a Web page was loading."

TippingPoint ZDI acquired the exclusive rights to the flaw information.  The company will report the issue to Apple and will withhold details until a patch is released.

Weinmann and Iozzo won a $15,000 cash prize and got the keep the hijacked iPhone.

Topics: Hardware, Collaboration, iPhone, Mobility, Networking, Security, Smartphones, Telcos

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

128 comments
Log in or register to join the discussion
    • Yah... I know what ya mean...

      But then again, it would likely encourage them to keep on hacking the same platform and find more vulnerabilities.

      Then again, with the $15,000 they won - they pretty much can buy whatever phone they want and can put the pwned iPhone up for auction on ebay.
      Wolfie2K3
      • I Can Imagine

        The"FIrst Offical Hacked iPhone" going up for bid.

        Would like fetch a nice penny or two.
        rhonin
      • Sounds fun! ....Prize plus Collector's Item! :D

        Maybe Steve would buy it? haha..... ;)
        ....anonymously of course!
        i2fun
      • But aren't we ALL iPwned?

        ... I mean, really; putting up with ATT's abysmal service just for the love of our iPhone...

        mnem<~~~iPwned since 2008~~~<<<
        mnemennth
  • There would be no need to give away

    the object they couldn't hack.

    People would be willing to [i]pay[/i] for those :)
    John Zern
    • What is not hacked?

      The items hacked first are the ones that are wanted!!!

      The items not hacked are not the ones that couldn't be hacked, just
      those that are uninteresting to hack, or not wanted.

      You are missing the whole point of this competition!!!
      richardw66
    • before jailbreak or Upgrade Iphone system Backup iphone files to computer

      Transfer iphone SMS or Contact to computer or Mac for backup

      Transfer iphone to computer or Mac for backup

      I have ever use an all-in-one iphone Backup software,with it I can trasnfer my SMS/ Contact/photo/video/Call list/games and so on to computer or Mac,now I share for iphone users

      This software named--iPhone Backup Tool Kits (For computer)

      http://www.mustsoftware.com/Cucusoft-iPhone-Tool-Kits-guide.html

      Free download link:

      http://hotdownloads.com/trialware/download/Download_iPhoneToolKits_reg.exe?item=18286-5&affiliate=406676

      Another iphone backup tool named--iPhone to Mac Transfer ( For Mac)

      http://www.mustsoftware.com/iMacsoft-iPhone-to-Mac-Transfer-guide.html

      My friends also free download this two iphone backup tool,too.They say it is very easy to use.
      mintinglove
  • Because it's still the best smartphone on the market

    http://www.appleinsider.com/articles/10/03/24/robotic_test_reconfirms_apples_iphone_touchscreen_superiority.html

    My first thought were that it took weeks for experts to crack the iPhone.
    Compare this to the constantly bombarded poor excuse of a platform from Redmond.

    This contest also conveniently takes away focus from the real, money-draining problems with Windows which have existed for years and not much has changed.
    Mikael_z
    • Sure, because...

      ...all the attacks on Windows are obviously written off the cuff with no prior work. Or not.

      Did you even think before you wrote your post? Apparently not.
      Sleeper Service
      • It wouldn't surpirse me

        [i]...all the attacks on Windows are obviously written off the cuff with no prior work. Or not.[/i]

        It wouldn't surprise me, considering all the morons they have in the Ukraine who are doing it everyday.
        still not nice
        • Yes. All day. For weeks.

          Was there anything else?
          Sleeper Service
          • Yup, there is

            Windoze is permanently pwned no matter what they do.
            still not nice
    • I don't think so

      Don?t get me wrong I think the iPhone is a fine product but I don't remember the last time I heard about a Blackberry or DROID being hacked without having physical access. I also insist that the only reason that Apple of Linux desktop/server OS aren?t seen with as many vulnerabilities is because of sheer numbers. Hackers go for the masses and platforms with less than 10% of the market just aren?t all that appealing.
      sy34010
      • Is there really a difference?

        You said that for Blackberry or Droid to get penetrated, physical access was
        required... How is that an different in this case?

        It's not as though the iPhone was just turned on and placed on a table, and the
        hackers were able to get their job done with nobody touching it.

        This exploit required someone to use the iPhone and go to a specific webpage
        that the hackers had created. Isn't someone picking up the phone and
        purposefully going to a malicious web page the same as "physical access?"

        Please forgive me if I'm wrong, this isn't my particular area of expertise. I just
        can't see a logical difference based on what you've described.

        I do agree, though, about the low % of market share being a reason why
        hackers would focus their efforts on a larger pool of victims. This is starting to
        shift, however, and I've heard some people say that since Apple is more more
        expensive that their users could be seen as more lucrative or "affluent" targets!
        lelandhendrix
        • That is not "access to the device" within the meaning of the act

          That was just using the device to execute the attack. There was nothinbg done to the device to enable the attack.

          Any website can be rigged with the attack, so anyone with any iphone could be taken by that technique - just buy ad space and incorporate it in the ad and get all the phones you could want. Or hack your favourite web site to serve the exploit.
          redking44
          • Hmmm, no.

            Sorry, I still don't see the difference.

            The exploit required someone to pick up the phone and go to a nonsense
            website. How is that still not physical access?

            Can someone explain the difference? Specifically, how the device has to be
            physically manipulated to execute the exploit but that's not physical access?

            Maybe tell me exactly what "physical access" means in the case of the
            Blackberry/Droid exploits, and then maybe contrast it with what was required in
            this iPhone exploit?
            lelandhendrix
          • imo...

            Physical access attacks requires your to either:
            Insert a usb or other removable storage in the device, or open the device to do on the board reading...


            annything else is simply remote execution(even if a user goes to a website).


            PS:Regardless since the % of morrons in the population is high... and that alot of those morrons also bought an iPhone(because it's "cool" and "hot") I can understand that an attack designed to exploit the morron can exist...

            PPS: no morrons where hurt in the making of this post... However the ego of the Cult of Jobs once aggain took a hit

            PPPS: I am wearing a flame impervious coat...
            Ceridan
    • Not any more...

      Read this:

      "10 ways the Nexus One slays the iPhone":

      http://blogs.zdnet.com/Apple/?p=6328&tag=nl.e539
      scott.pei
      • THAT is simply the opinion

        of one blogger and everyone else (including myself) who commented on that post - OPINION, not fact.

        When the market share and sales figures show differently, when T-Mobile, HTC, and Google stop playing their "pass the buck" game of customer service with users, when ALL the carriers subsidize the device instead of T-Mobile then I might take Jason's post more seriously.
        athynz
    • Yes, of course. It took weeks

      to find this problem with the iPhone, yet [i]everybody[/i] knows that even an inexperienced hacker could hack a WM or Android phone in 3 minutes.

      They would [i]never[/i] need to work on it for weeks, it's just common sense because they're not made by Apple.

      Now, back to our regularly scheduled reality... :)
      John Zern