Feeds

iPhone and BlackBerry brought down in hacker competition

Attack of the killer drive-bys

Security for virtualized datacentres

Smartphones from Apple and Research in Motion were the latest devices to take a beating at an annual hacker contest that has come to expose the inherent weaknesses of internet communication.

Apple's iPhone 4 was brought down by a drive-by attack that exploited a heap overflow in code related to the handset's Safari browser. It was the fourth year in a row that Charlie Miller, a principal security analyst at Independent Security Evaluators, landed a big prize in the Pwn2Own competition. In past years, he successfully commandeered fully patched Mac laptops after using fuzzing software to identify bugs in Apple's Safari browser. Using the same technique, it took him less than a week to discover a flaw in the iPhone software.

“It's a lot different,” he said, referring to the difference of fuzzing an iPhone simulator and software for the Mac. “There's not as much code to exploit, and exploiting it is harder because you can't just get shell code because the way it's designed it's really hard to just put your code in there and run it.”

Miller's exploit succeeded 24 hours after Apple released an iPhone update that blocks his exploit for working properly. That's because iOS 4.3 adds a vulnerability mitigation feature known as ASLR, or address space layout randomization, that makes it hard to predict where code libraries and malicious payloads will be in a device's memory.

“If you update your iPhone, my exploit won't work, and it would take a lot of work to make it work,” said Miller, who collaborated on the exploit with fellow Independent Security Evaluators researcher Dion Blazakis.

Under contest rules, software versions were locked two weeks ago, allowing Miller to walk away with $15,000 in prize money and the iPhone that he compromised.

Also compromised on Day Two of Pwn2Own was a BlackBerry Torch 9800 running BlackBerry 6 OS. Willem Pinckaers, a researcher with security firm Matasano, and independent researcher Vincenzo Iozzo were able to steal a complete contact list and and cache of pictures stored on the device and write a file to its storage system. They did it by concocting a booby-trapped website that chained together a series of vulnerabilities, including an integer overflow flaw in the phone's Webkit-based browser.

The researchers compared their task of finding and exploiting a Blackberry flaw to finding their way through a labyrinth in the pitch dark because there is virtually no material documenting the internal workings of the Research in Motion handset.

“You can see how the browser works, but if it crashes you don't know anything,” Pinckaers said. “It's a system that no one knows anything about. Basically, it crashes or it doesn't crash, or it takes a very long time to respond. Those are the three options. So you have to (move) very slowly, one step at a time.”

Unlike the iPhone and Microsoft's Windows 7 Mobile, the BlackBerry doesn't come with ASLR or another protection known as data execution prevention and offers only a rudimentary security sandbox to isolate apps from more sensitive parts of the OS, the researchers said.

They had help from researcher Ralf Philipp Weinmann.

Also up for grabs on Day Two were a Dell Venue Pro running Windows 7 Mobile and a Nexus S running Google's Android OS. A researcher who signed up to attack the Dell handset using an exploit in the baseband processor used to connect to carrier networks withdrew at the last minute and may try again on Friday, during the final day of the competition. No one has stepped forward to attack the Android phone. No one attempted to compromise Mozilla's Firefox browser, which was also up for grabs on Thursday.

During Day One of Pwn2Own on Wednesday, the Safari and Internet Explorer browsers toppled under the weight of vulnerabilities that gave attackers full control of the underlying machines. No one attempted to hack Google's Chrome browser.

Now in its fifth year, Pwn2Own is sponsored by HP's TippingPoint division, which uses the exploits to develop signatures for intrusion prevention devices. It's being held at the CanSecWest security conference in Vancouver. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
NASTY SSL 3.0 vuln to be revealed soon – sources (Update: It's POODLE)
So nasty no one's even whispering until patch is out
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
Forget passwords, let's use SELFIES, says Obama's cyber tsar
Michael Daniel wants to kill passwords dead
FBI boss: We don't want a backdoor, we want the front door to phones
Claims it's what the Founding Fathers would have wanted – catching killers and pedos
Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE
Pull it out ASAP, it is SWISS CHEESE
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.