Pwn2Own predictions: iPhone will be hacked
Summary: Experts are predicting that hackers at this year's CanSecWest Pwn2Own contest will definitely break into an Apple iPhone by exploiting a remote code execution vulnerability.
Hackers at this year's CanSecWest Pwn2Own contest will definitely break into an Apple iPhone by exploiting a remote code execution vulnerability.
That's the prediction from Charlie Miller and Aaron Portnoy, two security researchers who are monitoring events leading to next week's hacker challenge.
Portnoy, a vulnerability researcher at TippingPoint and an organizer of this year's contest, believes the iPhone will be the only mobile device to fall despite a bigger bounty on smartphone vulnerabilities.
Here's Portnoy's public prediction:
While last year’s contest did not see any pwnage of the mobile devices, there have been a number of devices added to the list and with all the recent research on mobile phone security being presented worldwide, these devices are quickly becoming a ripe target. Plus, we announced the mobile targets with more lead time this year, so I don’t expect these to survive this go around. First to fall: the iPhone. Survivors: BlackBerry, Symbian, Android.
In a live chat over on Threatpost, Charlie Miller provided more details around his iPhone-will-fall prediction:
Someone I know quite well says they have an exploit for it and plan on using it. But to answer your question in a more general way, from an exploitation perspective, iPhone is no harder than OS X now that Snow Leopard has DEP. In fact it is easier because it lacks ALSR all together. (Interstingly, there was a year when iPhone had DEP and OS X didn't and so iPhone was way harder then). These statements are true for Pwn2Own at least.
In real life iPhone is harder because you can't just exec a shell (since there is no /bin/sh). You have to write your return oriented payload to do all your dirty work, which can be a pain. In Pwn2Own, you just have to prove you have code running, not actually do something useful, so the bar is lower. The only thing iPhone has going for it, which coincidentally is stopping me from attacking it this year, is a smaller attack surface. There isn't as much exposed code on the iPhone. Safari for Mac OS X can do anything, render any file, etc. Not so on iPhone. There are some file types MobileSafari can't display, some they display incompletely, and of course, iPhone lacks Java and Flash which comes by default on Safari. The easy to exploit bugs I know about happen to live in the code that Safari (on OS X) has but MobileSafari doesn't, so no go for me.
Back in 2007, Miller was among the first to remotely exploit the iPhone using an SMS vulnerability. He is best known for exploiting Apple's Safari browser to win back-to-back Pwn2Own challenges.
On Twitter, a pair of researchers -- _snagg and esizkur -- have publicly announced their plans to take aim at the iPhone.
Here are some additional predictions from Tippingpoint's Portnoy:
- More Competitors, More Pwnage. In past years’ contests, we’ve had about 4-5 competitors – and they all signed up the day of the show. To date, we’ve had six participants register for the contest and expect a few more will sign up on site. These are some of the best and brightest minds in security research and I anticipate some very interesting (and successful) hack attempts on most of the targets we’ve outlined.
- Not Your Average Attack Vectors. To the point above, I fully expect some impressive exploits to come out of this competition. To fuel creativity and to make this more of a competition, we are not allowing the use of third-party plug-ins to aid in exploitation – at least on the first day. Third-party plug-ins – like Adobe Flash– introduce weaknesses that aid in exploitation of client-side vulnerabilities. This means that in order to defeat security controls such as Microsoft’s Data Execution Prevention (DEP) and/or Address Space Layout Randomization (ASLR), a contestant will have to write an impressive exploit. I expect to see such an exploit topple Internet Explorer 8 on Windows 7 early on in the contest.
- Chrome’s Sandbox Model Saves the Day. While Chrome is often affected by vulnerabilities due to its inclusion of the WebKit library, I predict the browser will remain untouched throughout Pwn2Own. This is due to the difficulty in producing an impactful exploit that can break out of the security sandbox. I predict its counterpart, Safari, will fall by Day 2.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
More predictions
for Apple after Apple's products tumble first for
the 3rd year in a row.
Nah
http://www.computerworld.com/s/article/9169778/Apple_plugs_16_holes_in_Safari_as_Pwn2Own_looms
Oh no!
Poor hackers..
Poor hackers.
That's a completely unfair characterization of people who spend their working lives to find holes in software so they can be patched. I'm not saying all those competing are on the up and up, but to blanket statement the entire group is rude and uncalled for.
It's not a pejorative.
Pwn2Own
This isn't news, it's a circus. Jolly good fun perhaps, but not reality.
No, not real life - and I hadn't realised no real exploitation
something with an exploit - just find one.
So how do they reasonably claim it's a vulnerability?
Nobody hacks into a computer to say 'I got through the first level,
can't make any use of the computer in any way, but still the browser
behaved less than perfectly, so I am a hacking genius'.
Hackers before Pwn2Own had to leave a sign of their presence, or get
some use of the computer, or they had to obtain some data that was
of benefit to them, or someone else.
I could for instance pick the lock on a fly-screen security door then be
stopped by the front door, but claim the fly-screen door was an
exploit as I would have defeated a level of security without being able
to do anything except knock on the front door.
This is clearly the case with at least one of iPhone examples quoted:
[i]Safari for Mac OS X can do anything, render any file, etc. Not so on
iPhone.[/i]
This is why Apple limits the iPhone, in this case at least you can break
into the browser, but so what?
You wanted an apology!
and to prove his Misnomer
[i]Apple apologists will be scrambling to apologize
for Apple after Apple's products tumble first for
the 3rd year in a row.[/i]
Yep, you are right, I shall apologise for the fact that Macs may fall in
an unreal security situation.
I shall apologise personally to you for the fact that so many Windows
PCs are infected with viruses, and yet next to no Macs are.
I shall apologise for the ability of the best minds in breaking computer
security to be able to find exploits, without having to prove the real-
world usefulness of those exploits, yet the seeming inability of the
criminal and malicious hackers to cause an impact on the Apple user
base.
I shall apologise for the high market share of iPhones not leading to
the effect that so many people such as you are claiming will happen
when Apple has market share.
I shall apologise for any other real world fact that you like, if that
makes it easier for you to feel so smug and superior in your easily and
widely hacked world.
I think you need to make several apologies for your attitude and your
twisting of the facts in many of your posts, but I predict you won't.
And what will your response be when they
Double standards queued
Unpwnable Ubuntu Linux with LSM AppArmor Stop Exploits Cold
But, I am not surprised as Ubuntu Linux 9.10 equipped with Linux Security Module AppArmor distinguishes it as being the safest operating system on the planet.
Dietrich T. Schmitz
GNU/Linux Advocate
Luser OSes need not apply...
OSX and Windows lost last time.. so only Ubuntu can apply? Sweet!
Why does linux require so much xtra effort just to make it less vulnerable?
LD: Read up on MAC and Linux Security Modules
This allows LSMs to 'police' both the 'App' and 'kernel'.
For example, Sandbox technology in IE8, Chrome browser is only as good as the underlying O/S security model (the Windows kernel), which has been recently shown to be capable of compromise (BSoD/rootkit W7 32-bit).
Unlike Windows 7, LSMs run outside of the kernel memory space which is simply more secure.
It still require extra affort and configuration
Actually no configuration effort. AppArmor is preinstalled on Ubuntu.
(nt) But not enabled for Firefox, and many other apps by default
But still needs to be configured
Re:
browser is only as good as the underlying O/S
security model (the Windows kernel), which has
been recently shown to be capable of compromise
(BSoD/rootkit W7 32-bit)."
So Windows 7 x64 is as secure as Linux?
Why do you eat dog crap?