Wednesday, March 24, 2010

iPhone Hacked Via Safari At Pwn2Own

 Hackers,  Iozzo and Weinmann compramised their fully patched iPhone in a total of 20 seconds.

The Zero Day Initiative (ZDI), an initiative founded by TippingPoint which organizes the security competition Pwn2Own, has confirmed via Twitter that contestants Vincenzo Iozzo and Ralf Philipp Weinmann successfully exploited the iPhone via a 0day Safari hack! 

@thezdi Vincenzo Iozzo and Ralf Philipp Weinmann successfully exploit the iPhone via Safari! Their payload pulled the SMS database. #pwn2own

The team of Iozzo and Weinmann were the first candidates in the hacking contest and the iPhone, which was hacked in less than 10 minutes, is the first smartphone to fall in the contest in the last two years. The iPhone was a 3GS model and was running iPhone OS 3.1.3.

Up next Charlie Miller gets to take his crack at exploiting Safari I believe on an Apple Macbook Pro running OS X. Stay tuned for more details.

Update: additional details courtesy the ThreatPost:

The exploit crashed the iPhone's browser session but Weinmann said that, with some additional effort, he could have a successful attacked with the browser running.

"Basically, every page that the user visits on our [rigged] site will grab the SMS database and upload it to a server we control," Weinmann explained. Iozzo, who had flight problems, was not on hand to enjoy the glory of being the first to hijack an iPhone at the Pwn2Own challenge.

Halvar Flake, a renowned security researcher who assisted with the winning exploit, said the biggest hiccup was bypassing the code-signing mitigation implemented by Apple on its flagship mobile device.

"This exploit doesn't get out of the iPhone sandbox," Flake explained, noting that an attacker can do enough damage without escaping from the sandbox.

"Apple has pretty good counter-measures but they are clearly not enough. They way they implement code-signing is too lenient," Flake added.

In addition to hijacking the SMS database, Weinmann said the winning Pwn2Own exploit could have exfiltrated the phone contact list, photographs and iTunes music files. He was unsure if the exploit could have hijacked e-mails.

Weinmann declined to publicly discuss the techniques he used to find the vulnerability. "We're working on developing techniques to find a certain class of vulnerabilities. I don't want to discuss it too much."

Aaron Portnoy, a security researcher at TippingPoint Zero Day Initiative (the company sponsoring Pwn2Own), described the attack as "very impressive."

"It was a real world exploit against a popular device. They exfiltrated the entire SMS database in about 20 seconds. It was as if a Web page was loading."

TippingPoint ZDI acquired the exclusive rights to the flaw information. The company will report the issue to Apple and will withhold details until a patch is released.

Weinmann and Iozzo won a $15,000 cash prize and got the keep the hijacked iPhone.

No comments:

Post a Comment

All comments will be moderate for content, please be patient as your comment will appear as soon as it has been reviewed.

Thank you