Charlie Miller wins Pwn2Own again with iPhone 4 exploit

Charlie Miller kept his Pwn2Own winning streak intact with another successful hack of an Apple product.
Written by Ryan Naraine, Contributor

VANCOUVER -- Charlie Miller kept his Pwn2Own winning streak intact with another successful hack of an Apple product.

Miller (right), renowned for his work breaking into MacBook machines with Safari vulnerabilities and exploits, took aim at Apple's iPhone device here, using a MobileSafari flaw to swipe the phone's address book.

Miller partnered with colleague Dion Blazakis from Independent Security Evaluators on the winning exploit.

The attack simply required that the target iPhone surfs to a rigged web site.  On first attempt at the drive-by exploit, the iPhone browser crashed but once it was relaunched, Miller was able to hijack the entire address book.

[ SEE: Pwn2Own 2011: IE8 on Windows 7 hijacked with 3 vulnerabilities ]

In an interview with ZDNet, Miller said the attack works perfectly against an iPhone running iOS 4.2.1 but will fail against the newest iOS 4.3 update.

Apple has quietly added ASLR (address space layout randomization) to iOS 4.3, a key mitigation that puts up an extra roadblock for hackers.

"If you update your iPhone today, the [MobileSafari] vulnerability is still there, but the exploit won't work. I'd have to bypass DEP and ASLR for this exploit to work," Miller said.

Miller's winning exploit used ROP (return oriented programming) techniques to bypass DEP.

This is not the first time Miller has successfully broken into a fully patched iPhone.  In 2007, Miller exploited the new iPhone's Safari browser to launch code that read the log of SMS messages, the address book, the call history, and the voicemail data.  Then in 2009, Miller teamed up with Colin Mulliner to exploit a memory corruption bug in the way the iPhone handles SMS messages.

[ SEE: Safari/MacBook first to fall at Pwn2Own 2011 ]

Over the years, Miller said the iPhone's security posture has improved significantly.

"The first one [in 2007] was really, really easy.  They had nothing, no sandboxing.  Everything was running as root.  It was super easy.   The SMS one [in 2009] was harder because of DEP but there were no sandbox issues because the process that controlled SMSes wasn't in a sandbox."

"As of 4.3, because of the new ASLR, it will be much harder," Miller added.

Miller and Blazakis won a $15,000 cash prize and kept the hijacked iPhone 4.


Editorial standards