iPhone 4S Hacked By Dutch Team at Mobile Pwn2Own
Posted September 19, 2012 at 10:04pm by iClarified
At the latest Pwn2Own competition, Dutch hackers exploited a WebKit bug that allowed them to hijack the iPhone's address book, photos, videos, and browsing history. Joost Pol and Daan Keuper demonstrated their attack at the Pwn2Own event in Amsterdam.
This exploit gave the pair $30,000 in cash, as well as a BlackBerry Playbook since RIM was the sponsor.
In an interview, Joost Pol stated that "We really wanted to see how much time it would take a motivated attacker to do a clean attack against your iPhone. For me, that was the motivation. The easy part was finding the WebKit zero-day."
It was a basic vulnerability but we had to chain a lot of things together to write the exploit," Pol said, making it clear that the entire exploit only used a single zero-day bug to sidestep Apple's strict code signing requirements and the less restrictive MobileSafari sandbox.
Although the successful attack exposed the entire address book, photo/video database and browsing history, Pol and Keuper said they did not have access to the SMS or e-mail database. "Those are not accessible and they're also encrypted," Keuper explained.
The exploit itself took some jumping around. With the WebKit bug, which was not a use-after-free flaw, the researchers had to trigger a use-after-free scenario and then abuse that to trigger a memory overwrite. Once that was achieved, Pol and Keuper used that memory overwrite to cause a read/write gadget, which provided a means to read/write to the memory of the iPhone. "Once we got that, we created a new function to run in a loop and used JIT to execute the code without signing," Keuper explained.
Despite obliterating the security in Apple's most prized product, Pol and Keuper insists that the iPhone is the most secure mobile device available on the market. "It just shows how much you should trust valuable data on a mobile device. It took us three weeks, working from scratch, and the iPhone is the most advanced device in terms of security."
The exploit worked on 5.1.1 and even the iOS 6 GM release. Devices like the Pad, iPhone 4, and previous versions of the iPod Touch were all exploitable.
Read More via EvilPenguin
This exploit gave the pair $30,000 in cash, as well as a BlackBerry Playbook since RIM was the sponsor.
In an interview, Joost Pol stated that "We really wanted to see how much time it would take a motivated attacker to do a clean attack against your iPhone. For me, that was the motivation. The easy part was finding the WebKit zero-day."
It was a basic vulnerability but we had to chain a lot of things together to write the exploit," Pol said, making it clear that the entire exploit only used a single zero-day bug to sidestep Apple's strict code signing requirements and the less restrictive MobileSafari sandbox.
Although the successful attack exposed the entire address book, photo/video database and browsing history, Pol and Keuper said they did not have access to the SMS or e-mail database. "Those are not accessible and they're also encrypted," Keuper explained.
The exploit itself took some jumping around. With the WebKit bug, which was not a use-after-free flaw, the researchers had to trigger a use-after-free scenario and then abuse that to trigger a memory overwrite. Once that was achieved, Pol and Keuper used that memory overwrite to cause a read/write gadget, which provided a means to read/write to the memory of the iPhone. "Once we got that, we created a new function to run in a loop and used JIT to execute the code without signing," Keuper explained.
Despite obliterating the security in Apple's most prized product, Pol and Keuper insists that the iPhone is the most secure mobile device available on the market. "It just shows how much you should trust valuable data on a mobile device. It took us three weeks, working from scratch, and the iPhone is the most advanced device in terms of security."
The exploit worked on 5.1.1 and even the iOS 6 GM release. Devices like the Pad, iPhone 4, and previous versions of the iPod Touch were all exploitable.
Read More via EvilPenguin