iPhone Hacked Via Mobile Safari Exploit At Pwn2Own; Hijacks SMS Database

News | Tuesday March 23 2010 11:12 PM | Comments (0) Tags: , , , , , , ,

Vincenzo Iozzo and Ralf Philipp Weinmann successfully exploit the iPhone via Safari! Their payload pulled the SMS database.
, it affects security of all iPhones.
The exploit crashed the iPhone 's browser session but Weinmann said that, with some additional effort, he could have a successful attack with the browser running.
“Basically, every page that the user visits on our [rigged] site will grab the SMS database and upload it to a server we control.”
Vincenzo Iozzo (32) and Ralf Philipp Weinmann (22) found the vulnerability and also to wrote the exploit. They also got assistance from Halvar Flake, a renowned security researcher.
“The biggest hiccup was bypassing the code-signing mitigation implemented by Apple on its flagship mobile device.
Apple has pretty good counter-measures but they are clearly not enough. They way they implement code-signing is too lenient.”
In addition to hijacking the SMS database, Weinmann believes that the exploit could have also hijacked the phone contact list, photographs and iTunes music files though he wasn’t sure if it would be able to hijack emails.
Weinmann and Iozzo won a cash prize of $15,000 and also get to keep the hacked iPhone .
It will be interesting to see when Apple releases an update to close the exploit as it sounds quite scary that a rigged site could get access to your personal data on the iPhone .
Let us know your thoughts in the comments.

No Comments »

No comments yet.

RSS feed. TrackBack URI

Leave a comment

You must be logged in to post a comment.