Skip the navigation

iPhone falls in Pwn2Own hacking contest

By Robert McMillan
March 24, 2010 07:44 PM ET

IDG News Service - A delayed flight didn't stop Vincenzo Iozzo and Ralf Weinmann from scoring a cool US$15,000, a brand-new iPhone and a trip to Las Vegas at the annual Pwn2Own hacking contest in Vancouver on Wednesday.

The security researchers developed an undisclosed attack on the iPhone's mobile Safari browser to get access to a phone and then run a program that sent the phone's SMS messages to a Web server.

It is the first fully functioning attack on an iPhone since Apple released version 2 of the device in 2008, said Charlie Miller, the hacker who is set to follow the iPhone attack with an exploit he hopes will hack into the contest's MacBook Pro (his takeaway, should he succeed: the laptop and $10,000).

Apple introduced a number of advanced security measures with iPhone 2.0, including a "sandbox" in the device's kernel that restricts what hackers can do on a compromised machine, and a cryptographic code-signing requirement that makes it harder for them to run their initial malicious payload.

"When iPhone 2.0 came out, it became a lot harder" to hack the device, said Miller, who earned fame three years ago as the first person to hack the iPhone.

In fact, Weinmann said he had been set to compete in last year's Pwn2Own contest but had to abandon his plans at the last minute when he discovered his attack only worked on jail-broken phones, which have been hacked to run unapproved applications. Jail-breaking circumvents the iPhone's memory protections, but the Pwn2Own rules force contestants to use unmodified phones.

The Pwn2Own contest pays contestants for their exploit code, which leverages software flaws to give the attacker a foothold on the machine being attacked. But because of the iPhone's sandbox architecture, Weinmann and Iozzo actually spent much more time working on their payload software.

To make their attack work, they used a technique called "return-oriented programming," in which they essentially cobble together instructions from different parts of the iPhone's memory. But even with this technique, the iPhone's sandbox restricted what they could do once they had hacked into the machine.

Return-oriented programming has been around for more than a decade, but this attack is the first public demonstration of this technique on the Arm microprocessor, contest organizers say.

Iozzo and Weinmann were selected by lot to be the first to try out their attack at the three-day hacking contest. But Iozzo wasn't actually at the conference when his slot came up. A delayed flight caused him to miss his connection to Vancouver, but a co-worker, Thomas Dullien (better known as Halvar Flake), stood in for him at the contest.

Reprinted with permission from IDG.net. Story copyright 2014 International Data Group. All rights reserved.
Our Commenting Policies