Mobile Pwn2Own: iPhone 4S hacked by Dutch team

Mobile Pwn2Own: iPhone 4S hacked by Dutch team

Summary: How long would it take a determined attacker to hack into Apple's iPhone 4S from scratch? A Dutch research team uses the Pwn2Own contest to provide the answer.

TOPICS: Security


AMSTERDAM -- How long would it take a determined attacker to hack into Apple's iPhone device from scratch?

That was the intellectual challenge that drove a pair of Dutch researchers to start looking for an exploitable software vulnerability that would allow them to hijack the address book, photos, videos and browsing history from a fully patched iPhone 4S.

The hack, which netted a $30,000 cash prize at the mobile Pwn2Own contest here, exploited a WebKit vulnerability to launch a drive-by download when the target device simply surfs to a booby-trapped web site.

"It took about three weeks, starting from scratch, and we were only working on our private time," says Joost Pol (photo left), CEO of Certified Secure, a nine-person research outfit based in The Hague. Pol and his colleague Daan Keuper used code auditing techniques to ferret out the WebKit bug and then spent most of the three weeks chaining multiple clever techniques to get a "clean, working exploit."

"We really wanted to see how much time it would take a motivated attacker to do a clean attack against your iPhone. For me, that was the motivation. The easy part was finding the WebKit zero-day," Pol said in an interview.

"It was a basic vulnerability but we had to chain a lot of things together to write the exploit," Pol said, making it clear that the entire exploit only used a single zero-day bug to sidestep Apple's strict code signing requirements and the less restrictive MobileSafari sandbox.


Although the successful attack exposed the entire address book, photo/video database and browsing history, Pol and Keuper said they did not have access to the SMS or e-mail database. "Those are not accessible and they're also encrypted," Keuper explained.

The exploit itself took some jumping around. With the WebKit bug, which was not a use-after-free flaw, the researchers had to trigger a use-after-free scenario and then abuse that to trigger a memory overwrite. Once that was achieved, Pol and Keuper used that memory overwrite to cause a read/write gadget, which provided a means to read/write to the memory of the iPhone. "Once we got that, we created a new function to run in a loop and used JIT to execute the code without signing," Keuper explained.

It was a clever end-around Apple's code signing requirements and Pol described the entire exploit as "messing up the iPhone state internally in such a fashion that we got a lot of little bugs."

"We specifically chose this one because it was present in iOS 6 which means the new iPhone coming out today will be vulnerable to this attack," Pol said. Over the course of the research, Pol and Keuper tested the exploit on the iOS 6 GM (golden master) code and also confirmed that it worked on the iPad, iPhone 4, iPod touch (all previous versions).

Despite obliterating the security in Apple's most prized product, Pol and Keuper insists that the iPhone is the most secure mobile device available on the market. "It just shows how much you should trust valuable data on a mobile device. It took us three weeks, working from scratch, and the iPhone is the most advanced device in terms of security."

"Even the BlackBerry doesn't have all the security features that the iPhone has. For example, BlackBerry also uses WebKit but they use an ancient version. With code signing, the sandbox, ASLR and DEP, the iPhone is much, much harder to exploit," Pol said matter-of-factly.

He reckons that the Android platform is also "much better" than BlackBerry and said the decision to go after iPhone 4S at Pwn2Own was simply aimed at going after the harder target.

"We really wanted to show that it is possible, limited time, with limited resources, to exploit the hardest target. That's the big message. No one should be doing anything of value on their mobile phone," Pol said.

Pol said he never considered the value of the vulnerability and exploit on the open market. "We have a successful company so money is not our motivation. How much did we win? I don't even know for sure. We are not in the business of selling zero-days. That's boring."

"It's really about the research to make a fair, transparent and open message that a motivated attacker will always win."

During the Pwn2Own attack, Pol created a web site that included an amusing animation of the Certified Secure logo taking a bite of the Apple logo. The drive-by download attack did not crash the browser so the user was oblivious to the data being uploaded to the attacker's remote server. "If this is an attack in the wild, they could embed the exploit into an ad on a big advertising network and cause some major damage."

The duo destroyed the exploit immediately after the Pwn2Own hack. "We shredded it from our machine. The story ends here, we're not going to use this again. It's time to look for a new challenge," Pol said.

He provided the vulnerability and proof-of-concept code that demonstrates the risk to contest organizers at HP TippingPoint Zero Day Initiative (ZDI).

Pol also wanted to make a larger point about vulnerablity research and the way it is perceived in the industry. "You know, people think that these things are so hard to do, that it's only theoretical and that it's only Charlie Miller or Willem Pinckaers (previous Pwn2Own winners) capable of doing this. There are many people -- good and bad -- who can do this. It's important for people to understand, especially businesses, that mobile devices should never be used for important work."

"The CEO of a company should never be doing e-mail or anything of value on an iPhone or a BlackBerry. It's simple as that. There are a lot of people taking photos on their phones that they shouldn't be taking," Pol said, emphasising that a mass-attack using rigged ad networks could be incredibly dangerous.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Userland Jailbreak

    They should have used it as a userland jailbreak... Then we wouldn't have to wait until iOS 6.0.1 to be safe from this, we could download a patch from Cydia
  • This is unpossible!

    They must be lying, I'm sure...

    • RE:This is unpossible!

      Of course they are lying. This will nevar happen evar! Everyone who disagrees or says anything negative about Apple are paid shills of the Windows/Linux war machine! Lies!
      Those who hunt Trolls
      • OH the straw man yet again

        Straw man arguments are tired and just darn offensive.

        Plus your reading is selective:
        "Pol and Keuper insists that the iPhone is the most secure mobile device available on the market."

        So go hunt yourself.
        • BlackBerry

          So he "insists" but there was no BlackBerry actually hacked, right?

          Talks are cheap. Show me the hacked BlackBerry or GTFO.

          BlackBerry is the ONLY smartphone certified with FIPS, so some shit talks from a random hacker doesn't mean a thing until proven.
          • FIPS certification...

            I don't know you, don't recall ever seeing you post before, but I already know you are not worth paying any attention to, ever. learn to read, or at least google...

            first result from google:


            and the third result:

            good try though. Android has been FIPS certified since 2.2 came out June 23rd 2010 on the Nexus one.

            (not that I care, but iOS received it's certification at some point in 2010 also I believe.)
  • Impressive exploit but very poor message...

    I don't understand the message " Don't use your mobile device to do any important work"??! WHAT?? The same could be said about PCs! "don't use windows to do any important work". Windows is much weaker in security than IOS.... So, folks, let's not use any computing platform to do any important work. Give these devices to your employees so they can play Angry Birds and stay entertained. Go back to paper and pens to accomplish the important work ??!! And... my house can get broken into by people who can pick my lock and turn off the security system, let me replace my doors and windows with cement... Security is always proportionally inverse to usability, the long term issue here is to keep raising the walls to keep the bad guys out an allow the good guys to do their (productive) work.... Are the walls very high? I agree with these guys that they demonstrated that the answer is a clear "no".
    • The message is... buy their antivirus software of course, what else.
      Many of the articles here at ZDNet are ads and not much more.
      iOS is particularly interesting of course because of its many users and with the right preconditions you can even break into the Fort Knox if you want to, i.e. these so called Pwn2Own doesn't really say much about the platform's security, real life usage does though.
    • As Ben Franklin said...

      Three can keep a secret if two are dead
    • WHAT?? The same could be said about PCs!

      The difference being that most PCs are connected to the internet through a router/firewall device and generally have atleast some sort of software watching out for malicious programs etc. but for some reason, the same people don't bother to protect their phones.
      • No that's not the point

        @ Mikael_z is right - you can break into anything.

        When an exploit is found it gets patched, eventually, hopefully.

        You can't protect your iPHone except by living behind a firewall or by VPN back to a firewall, this is impractical.

        Also a drive-by attack is not going to get stopped by a firewall.

        An argument for AV software is to me missing the point.

        I don't use AV software on OS X even, gave up Mac AV software in the 80's as a waste of time.

        PCs yes I use AV software, but then still get infections.

        Really it's a case of choose the best platform, which from this article is iOS for mobile devices.

        For computers I have had the best protection by using OS X. Much better than my protected windows machines.

        Then you are taking a calculated risk within that system.

        And you should have backups, and you shouldn't fall for phishing attempts etc.
        • Richard, Unitl recently, OS X had Zero defense mechanisms...

          outside of the inherent security of the OS, there were no modern defense systems layered into OS X like NT 6.x.
          You were secure because OS X was not targeted, period, end of story. now it is, and it's been easily hacked with large OS X botnets in existence today. All because Apple was drinking it's own kool-aid, a fatal mistake.
          If you have done any reading, up through Leopard, protection measures were non existent in OS X and even ars technia pointed this out and how NT 6 had layered defense that made it a more secure OS.
          Sure, there are hundreds of thousands of criminals and terrorists worldwide still aiming at MSFT but they are having a lot more trouble now, and can really only hope to use social engineering to get access, which is true of any system. But with minuscule market, criminals and terrorists are not going to put their resources into building emails that target such a small market sector. The hit rate of an OS X crafted email was so small it would have been stupid for them to even consider it.
          Things have changed, and OS X has gotten knocked arouind and the world knows the truth, which has been told to Mac tards for years, but being on the Kool-Aid they didnt' listen.
          Win7 is by far the most all around useful OS in the world, as well as the most secure.
          I've never run AV on Vista nor Win7 and never have had an issue.
          Besides, this is about how the iphone was hacked.
          We'll have to see how a win8 phone does in the wild. By all accounts it will be take over as the most secure mobile OS.
          Try to stay away from the Kool Aid and you'll see the light.
    • No current system is secure.

      The weakest link is the person sitting in front of every system, whether it's a desktop, tablet, phone, or even server. If you click on a malicious site or ad, you're hosed. If you run a dodgy application, you're hosed. Training users to avoid those situations has never been reliable enough. Some protection has been layered on top, but the kernels are all still vulnerable.

      The only way we're going to get more secure devices is if we rethink the OS from the ground up and everyone has been too lazy to do that since the 80's. Everything out there is reusing kernel technologies from the last century. Even the protocols running the entire Internet have known flaws. We need a total redesign that's bullet proof from the ground up based on the accurate assumption that the user is going to do something unbelievably stupid on a daily basis.

      If it's critically important or secret, don't put it on any system attached to the Internet, whether it's a phone, a tablet, a laptop, a desktop, or whatever. System security is a myth.
  • That's some consolation: it took a whole 3 weeks to hack iOS 6/iPhone 4s...

    and then, people are supposed to feel secure about iOS?

    What matters is that it was hacked.

    Also, didn't the hackers mention that it took them 3 weeks, but, on a part-time basis? Other hackers working full-time probably would have taken less.

    The only thing worth mentioning from the article is that, nobody should trust their devices when performing any work of any value, such as monetary transactions where security matters.
    • Didn't they also say that the iPhone was the most secure

      ... of the three? After Blackberry's long run as the supposedly most-secure smartphone, THAT is saying a lot!
      • The problem is, that no phone is secure, if it can be hacked at all, so...

        the way I see it, "most secure" is subjective, and reality is that, no one should trust doing anything of value on any smartphone that can be hacked, even if it's the "hardest to hack". Hardest to hack is no consolation at all, since, if it is hackable at all, it's not secure.
        • It's not called hacking.

          It's cracking and attacking.

          Hackers are those that take a device or OS and make it do something completely different than what it's intended to do. Hacking is not breaking in or manipulating security flaws, or even adjusting a few lines of code.
        • I don't believe I argued that point, ado.

          Rather, the point is that anything--and I do mean anything--CAN be hacked, cracked and/or attacked. However, the hackers/crackers/attackers usually go for the easy target because there's less chance of failure. Considering all the factors available for the iPhone compared to the others, even if the phone does get "cracked", it's still possible to remotely delete the data and thus protect at least some of the information.

          There's still such a thing as Better security as compared to no security.
          • The point remains that, if it can be hacked/cracked/attacked, it's not


            Some can take consolation that, it happens less on some systems, but, if someone does get attacked or hacked or cracked, it won't help them at all to know it's the system that is the least vulnerable. That won't help at all after the fact.
      • DWFields .. it says a lot, yeah ... but about 'what'?

        "... Didn't they also say that the iPhone was the most secure of the three? After Blackberry's long run as the supposedly most-secure smartphone, THAT is saying a lot!"

        Yeah, "THAT is saying a lot!" ... what it's saying - and is proof of - is that even the most difficult platform to crack (in this case iOS) can be got at with a little perseverance and *a lot* of determination. The scary thing is, (1) these guys were doing day jobs - and only doing this part time! (2) they are on record as saying anyone with the requisite, background knowledge of hacking / cracking (with a bit of idle time on their hands) can do this AND, most significantly, (3) iOS was the hardest to crack (ergo: there were more hoops to jump through before hitting pay dirt) ... which, consequently, doesn't say much for the mitigation measures used on Android and in RIM's Blackberry phones.

        The big takeaway is just another sobering reminder that no application / software / software system coded is 100% secure. If someone coded it to mitigate attacks ... it's elementary that someone can decode and unravel the mechanisms built in to (..supposedly) "secure".