“The annual CanSecWest PWN2OWN hacking contest has done it again and provided us news types with the perfect headline writing opportunity as the Apple iPhone falls to the hackers in just 20 seconds,” Davey Winder reports for DaniWeb. “The hackers in question, Vincenzo Iozzo and Ralf Weinmann, picked up the prize of $15,000 and an iPhone for being the first to launch a successful attack on the smartphone in Vancouver.”
MacDailyNews Take: Hackers in such contests pick Apple products to attack first in order to maximize publicity. Then they knock off lesser products that nobody cares about. The fact that hacking Apple is so lusted after combined with the fact that zero self-propagating viruses have ever successfully attacked Mac OS X users in the wild — in over 9 years, no less — speaks volumes.
Winder reports, “It took a little longer than 20 seconds to run that previously unknown hack attack using the Safari browser on the iPhone which allowed the SMS messages on the device, including those which had been previously deleted, to be sent to a remote server. How much longer? How does a couple of weeks of preparation sound?”
“Yes, for this SMS database hacking attack to work you need a user to be stupid at a website beforehand but that’s par for the insecurity cause,” Winder reports. “The worrying thing, I would say, is that the hackers demonstrated it was relatively easy to bypass Apple code-signing routines and exploit non-root user privileges in the first place. Especially as we are not talking about previously Jailbroken devices here as the PWN2OWN contest rules insist that only unmodified iPhones can be used.”
Full article here.
MacDailyNews Take: As always, thanks to anyone who finds and privately discloses security issues to Apple for the company to fix. This improves the security of Apple products. Too bad it generates tons of horribly overblown media hype in the process.
OH NO, before you know it iPhone OS will be bogged down with viruses, just like Mac OS X was when they came out with those exploits and viruses a few years ago! WE ARE DOOMED
(/sarcasm for those who need it)
“Yes, for this SMS database hacking attack to work you need a user to be stupid at a website beforehand”
They must be referring to the millions of Windows drones that continue to support and buy their POS.
Of course, the hack has been prepared weeks ahead! What do you think? Hackers take a lot of time to find out how to break doors… But what is dangerous, is that it take only 20 seconds to get informations with.
Apple could just do a similar thing as Opera: use their new lines of servers to predigest the websites and send clean copies streamed to the iPhone.
This is probably the safiest way to go.
GAWD! Who sells NOD32 for iPhone. Or was that Norton? Simi something! So long ago and hard to remember. Hey! An idea. I will call my PC user friends.
For sure, they know.
” width=”19″ height=”19″ alt=”grin” style=”border:0;” />
Is the mythical Mac security why Apple has been throwing out security updates to Safari the last couple of weeks?
pwnd!
All these hacks always need some sort of user help. Okay, here is my login information and if that is not enough here is my drivers license, social security card, bank card and my DNA, have fun. Give me a fscking break.
Actually, the iPhone, Safari 4, Firefox 3.6, and IE8 were all hacked in seconds.
This simply proves that anything with a web browser is potentially vulnerable to those who really want access.
YAWWWWWNN………..
amusing.
How much time did they take to prepare for the contest…… and you mean it requires a bit of social engineering….
I want to see someone take over an iphone WITHOUT the “yeah..but..”
Anyone? anyone???
*crickets*
Okay, yes we get it, if your computer is connected to the internet, there’s will always be a possibility of getting hacked or getting a virus, not much unlike you as a human going out in public, that there’s always a chance of you catching a cold or the flu. The odds are against it, but the chance is there. So, what’s the only way to avoid catching a cold? Don’t ever go out. And what’s the only way of not getting hacked? Unplug from the internet.
As a human, I’ll risk catching a cold and go out, but when I go out, I’ll be smart about it and wash my hands often and avoid people coughing in my face. Likewise with the internet, I’ll avoid sketchy sites, and emails and webpages asking for personal information/account numbers.
As long as my computer/phone/media gadget is connected publicly there will always be a possibility of if getting hacked or catching a virus, but if I’m smart about it, I should be able to keep the odds extremely low to non-existent that it will. (and using an Apple product is about 90% of the being smart part!)
Does it really matter how long it takes to actually do? I mean, if it takes 10 months to figure out then 20 seconds to execute is that better or worse than a hack that takes 10 minutes to work out and 20 minutes to execute? I’m not casting any judgment or defending anything and it goes for any device or software, not just apple but as always it’s not exactly the whole story.
Fortunately for iPhone users this is a an exploit that the user has to trigger, so while being a security hole it is not something extremely serious. It can only access areas of the file system that aren’t “locked down” for whatver reason Apple chose.
“Yes, for this SMS database hacking attack to work you need a user to be stupid at a website beforehand blah blah blah blah…”
*YAWN*
Until they start coming out with an avalanche of completely automatic exploits requiring no user stupidity (just like on Windows), I really don’t see what the fuss is all about.
So they needed physical access to the phone?
The big prize for hacking the iPhone included an iPhone.
Ironic.
uh huh…. So all the hacker has to do is; Lure the victim er, user, to a malicious website.
So, keep away from pr0n and beware of “click here you may be infected” pop ups.
Just isn’t that hard, only needs a tiny amount of rational thought.
“Actually, the iPhone, Safari 4, Firefox 3.6, and IE8 were all hacked in seconds.
This simply proves that anything with a web browser is potentially vulnerable to those who really want access.”
Exactly. And another good example of why PWN2OWN is of limited utility in the larger scheme of things.
There is no technical protection against someone dedicated to scam you and the victim wanting something for nothing.
@darknite. A good phishing attack or getting a well designed email that has malicious code imbedded in an image is a much probable issue. Even on a mac you may be suceptable. It’s not likely but you don’t have to be a dumb user. A lot can rely on your email program or browser settings.
It’s not like this person invented the hack in 20 seconds.
The important thing is that sensible iPhone and Mac users out in the real world are not being harassed by hackers and their malware.
They must have changed the rules. It used to be that on the first day, they had to break in without any action on the target. The second day they could touch the target and make it do something, like go to a URL.
@ Gabriel
“completely automatic exploits requiring no user stupidity (just like on Windows)”
Isn’t that a waste of readily available resource?
This is comparable to home security; where technologies like ADT will protect you from intruders lurking, it certainly won’t protect you from those you let in the door and look innocent enough.
I say kudos to the guys. This was not a phishing attack, it was a genuine hack. However they still didn’t have complete access to the file system, just to those parts exposed to applications (eg; contacts etc). This is good news for the platform as it will improve security.