iPhone Pwned at Pwn20wn
Looks like our iPhone didn't put up much of a fight at the latest Pwn20own contest in Vancouver, falling on the first day to hacking duo Ralf Philipp Weinmann of the University of Luxembourg, and Vincenzo Iozzo of Zynamics according to CNET.
The team wins $15,000 for their efforts, which took them about 2 weeks to write. The exploit involved getting a user to go to a malicious website whose payload downloads and executes, stealing the contents of the iPhone's SMS database. (Though they said the same attack could be used to get contacts, photos, or any other data).
The exploit was written to bypass the digital code signatures used on the iPhone to verify that the code in memory is from Apple, he said. The exploit then looked for chunks in Apple's code that could be pieced together to accomplish the attack, according to Weinmann.
Bypassing Apple's security was "major issue" and used a process known since 1997 but not exploited on an ARM-based device like the iPhone until now.
The details of how the exploit was done are being kept confidential but will be shared with Apple.
Hacking the iPhone is nothing new, of course, as getting around Apple's security is how Jailbreak is achieved (and original iPhone 2G owners may remember one of the earliest Jailbreak techniques involved simply going to a website with Mobile Safari). Apple has been beefing up their security team so while it's not good news for Jailbreakers, future iPhone hardware and software should be harder targets.
Oh, and yes, Charlie Miller won $10,000 for exploiting Mac Safari. Again.