Pwn2Own predictions: iPhone will be hacked

Pwn2Own predictions: iPhone will be hacked

Summary: Experts are predicting that hackers at this year's CanSecWest Pwn2Own contest will definitely break into an Apple iPhone by exploiting a remote code execution vulnerability.


Hackers at this year's CanSecWest Pwn2Own contest will definitely break into an Apple iPhone by exploiting a remote code execution vulnerability.

That's the prediction from Charlie Miller and Aaron Portnoy, two security researchers who are monitoring events leading to next week's hacker challenge.

Portnoy, a vulnerability researcher at TippingPoint and an organizer of this year's contest, believes the iPhone will be the only mobile device to fall despite a bigger bounty on smartphone vulnerabilities.

Here's Portnoy's public prediction:follow Ryan Naraine on twitter

While last year’s contest did not see any pwnage of the mobile devices, there have been a number of devices added to the list and with all the recent research on mobile phone security being presented worldwide, these devices are quickly becoming a ripe target. Plus, we announced the mobile targets with more lead time this year, so I don’t expect these to survive this go around. First to fall: the iPhone. Survivors: BlackBerry, Symbian, Android.

In a live chat over on Threatpost, Charlie Miller provided more details around his iPhone-will-fall prediction:

Someone I know quite well says they have an exploit for it and plan on using it. But to answer your question in a more general way, from an exploitation perspective, iPhone is no harder than OS X now that Snow Leopard has DEP. In fact it is easier because it lacks ALSR all together. (Interstingly, there was a year when iPhone had DEP and OS X didn't and so iPhone was way harder then). These statements are true for Pwn2Own at least.

In real life iPhone is harder because you can't just exec a shell (since there is no /bin/sh). You have to write your return oriented payload to do all your dirty work, which can be a pain. In Pwn2Own, you just have to prove you have code running, not actually do something useful, so the bar is lower. The only thing iPhone has going for it, which coincidentally is stopping me from attacking it this year, is a smaller attack surface. There isn't as much exposed code on the iPhone. Safari for Mac OS X can do anything, render any file, etc. Not so on iPhone. There are some file types MobileSafari can't display, some they display incompletely, and of course, iPhone lacks Java and Flash which comes by default on Safari. The easy to exploit bugs I know about happen to live in the code that Safari (on OS X) has but MobileSafari doesn't, so no go for me.

Back in 2007, Miller was among the first to remotely exploit the iPhone using an SMS vulnerability.  He is best known for exploiting Apple's Safari browser to win back-to-back Pwn2Own challenges.

On Twitter, a pair of researchers -- _snagg and esizkur -- have publicly announced their plans to take aim at the iPhone.

Here are some additional predictions from Tippingpoint's Portnoy:

  1. More Competitors, More Pwnage. In past years’ contests, we’ve had about 4-5 competitors – and they all signed up the day of the show. To date, we’ve had six participants register for the contest and expect a few more will sign up on site. These are some of the best and brightest minds in security research and I anticipate some very interesting (and successful) hack attempts on most of the targets we’ve outlined.
  2. Not Your Average Attack Vectors. To the point above, I fully expect some impressive exploits to come out of this competition. To fuel creativity and to make this more of a competition, we are not allowing the use of third-party plug-ins to aid in exploitation – at least on the first day. Third-party plug-ins – like Adobe Flash– introduce weaknesses that aid in exploitation of client-side vulnerabilities. This means that in order to defeat security controls such as Microsoft’s Data Execution Prevention (DEP) and/or Address Space Layout Randomization (ASLR), a contestant will have to write an impressive exploit. I expect to see such an exploit topple Internet Explorer 8 on Windows 7 early on in the contest.
  3. Chrome’s Sandbox Model Saves the Day. While Chrome is often affected by vulnerabilities due to its inclusion of the WebKit library, I predict the browser will remain untouched throughout Pwn2Own. This is due to the difficulty in producing an impactful exploit that can break out of the security sandbox. I predict its counterpart, Safari, will fall by Day 2.

Topics: Security, Apple, Smartphones, Operating Systems, Mobility, iPhone, Hardware, Google, Browser, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • More predictions

    Apple apologists will be scrambling to apologize
    for Apple after Apple's products tumble first for
    the 3rd year in a row.
    • Nah

      Actually, apple is doing something rather clever to 'win' the contest. They are holding back on security fixes until the last minutes and patching a week or 2 before the contest. They are hoping that this will actually patch a hole that hackers are planning to use such that they will have little time to find another one to exploit. Anything for some bragging rights i guess.
      • Oh no!

        You mean if the hackers want to make claims like "I hacked it in 10 seconds" they'll [i]actually have to do it in 2 weeks, instead of a year[/i]!?

        Poor hackers..
        • Poor hackers.

          Security Researcher != hacker

          That's a completely unfair characterization of people who spend their working lives to find holes in software so they can be patched. I'm not saying all those competing are on the up and up, but to blanket statement the entire group is rude and uncalled for.
          • It's not a pejorative.

            [b] [/b]
    • Pwn2Own

      It's not exactly representative of "normal" security situations is it?

      This isn't news, it's a circus. Jolly good fun perhaps, but not reality.
      • No, not real life - and I hadn't realised no real exploitation

        I had not realised that to win you do not have to show you can do
        something with an exploit - just find one.

        So how do they reasonably claim it's a vulnerability?

        Nobody hacks into a computer to say 'I got through the first level,
        can't make any use of the computer in any way, but still the browser
        behaved less than perfectly, so I am a hacking genius'.

        Hackers before Pwn2Own had to leave a sign of their presence, or get
        some use of the computer, or they had to obtain some data that was
        of benefit to them, or someone else.

        I could for instance pick the lock on a fly-screen security door then be
        stopped by the front door, but claim the fly-screen door was an
        exploit as I would have defeated a level of security without being able
        to do anything except knock on the front door.

        This is clearly the case with at least one of iPhone examples quoted:

        [i]Safari for Mac OS X can do anything, render any file, etc. Not so on

        This is why Apple limits the iPhone, in this case at least you can break
        into the browser, but so what?
    • You wanted an apology!

      @nonZealot - the MS apologist, keen to twist logic to attack Apple,
      and to prove his Misnomer

      [i]Apple apologists will be scrambling to apologize
      for Apple after Apple's products tumble first for
      the 3rd year in a row.[/i]

      Yep, you are right, I shall apologise for the fact that Macs may fall in
      an unreal security situation.

      I shall apologise personally to you for the fact that so many Windows
      PCs are infected with viruses, and yet next to no Macs are.

      I shall apologise for the ability of the best minds in breaking computer
      security to be able to find exploits, without having to prove the real-
      world usefulness of those exploits, yet the seeming inability of the
      criminal and malicious hackers to cause an impact on the Apple user

      I shall apologise for the high market share of iPhones not leading to
      the effect that so many people such as you are claiming will happen
      when Apple has market share.

      I shall apologise for any other real world fact that you like, if that
      makes it easier for you to feel so smug and superior in your easily and
      widely hacked world.

      I think you need to make several apologies for your attitude and your
      twisting of the facts in many of your posts, but I predict you won't.
    • And what will your response be when they

      take down a Windows mobile phone in less time? Or is that not on the menu because it's too easy of a target?

      Double standards queued
  • Unpwnable Ubuntu Linux with LSM AppArmor Stop Exploits Cold

    It's is conspicuous to find that Canonical's Ubuntu Linux is not included in TippingPoint's Pwn2Own competition.

    But, I am not surprised as Ubuntu Linux 9.10 equipped with Linux Security Module AppArmor distinguishes it as being the safest operating system on the planet.

    Dietrich T. Schmitz
    GNU/Linux Advocate
    Dietrich T. Schmitz GNU/Linux Advocate
    • Luser OSes need not apply...

      • OSX and Windows lost last time.. so only Ubuntu can apply? Sweet!

        [b] [/b]
    • Why does linux require so much xtra effort just to make it less vulnerable?

      I mean if linux was so great you'd think it wouldn't need all these extra applications and configurations just to try to make it less vulnerable, but as you clearly point out in every post that it requires apparmor just to be somewhat secure. That sounds like a lot of hassle and extra maintenance that no administrator would want to deal with. Now we have proof that linux truly is a dead OS when 3rd party applications need to secure it and all the spamming in the world still doesn't save it.
      Loverock Davidson
      • LD: Read up on MAC and Linux Security Modules

        LSMs are as designed a more secure method of Mandatory Access Control performed by an 'external' kernel module running in its own memory space.

        This allows LSMs to 'police' both the 'App' and 'kernel'.

        For example, Sandbox technology in IE8, Chrome browser is only as good as the underlying O/S security model (the Windows kernel), which has been recently shown to be capable of compromise (BSoD/rootkit W7 32-bit).

        Unlike Windows 7, LSMs run outside of the kernel memory space which is simply more secure.
        Dietrich T. Schmitz GNU/Linux Advocate
        • It still require extra affort and configuration

          which goes back to my original point that linux requires a lot more effort than necessary to keep it less vulnerable and up and running. I could use another operating system that isn't linux which is secure right out of the box with little to no effort.
          Loverock Davidson
          • Actually no configuration effort. AppArmor is preinstalled on Ubuntu.

            Dietrich T. Schmitz GNU/Linux Advocate
          • (nt) But not enabled for Firefox, and many other apps by default

          • But still needs to be configured

            so my point still stands. In fact you posted many times how to apparmor an application. Explain to us how that is not extra effort and configuration.
            Loverock Davidson
        • Re:

          "For example, Sandbox technology in IE8, Chrome
          browser is only as good as the underlying O/S
          security model (the Windows kernel), which has
          been recently shown to be capable of compromise
          (BSoD/rootkit W7 32-bit)."

          So Windows 7 x64 is as secure as Linux?
      • Why do you eat dog crap?

        It doesn't.