Feeds

iPhone and BlackBerry brought down in hacker competition

Attack of the killer drive-bys

Seven Steps to Software Security

Smartphones from Apple and Research in Motion were the latest devices to take a beating at an annual hacker contest that has come to expose the inherent weaknesses of internet communication.

Apple's iPhone 4 was brought down by a drive-by attack that exploited a heap overflow in code related to the handset's Safari browser. It was the fourth year in a row that Charlie Miller, a principal security analyst at Independent Security Evaluators, landed a big prize in the Pwn2Own competition. In past years, he successfully commandeered fully patched Mac laptops after using fuzzing software to identify bugs in Apple's Safari browser. Using the same technique, it took him less than a week to discover a flaw in the iPhone software.

“It's a lot different,” he said, referring to the difference of fuzzing an iPhone simulator and software for the Mac. “There's not as much code to exploit, and exploiting it is harder because you can't just get shell code because the way it's designed it's really hard to just put your code in there and run it.”

Miller's exploit succeeded 24 hours after Apple released an iPhone update that blocks his exploit for working properly. That's because iOS 4.3 adds a vulnerability mitigation feature known as ASLR, or address space layout randomization, that makes it hard to predict where code libraries and malicious payloads will be in a device's memory.

“If you update your iPhone, my exploit won't work, and it would take a lot of work to make it work,” said Miller, who collaborated on the exploit with fellow Independent Security Evaluators researcher Dion Blazakis.

Under contest rules, software versions were locked two weeks ago, allowing Miller to walk away with $15,000 in prize money and the iPhone that he compromised.

Also compromised on Day Two of Pwn2Own was a BlackBerry Torch 9800 running BlackBerry 6 OS. Willem Pinckaers, a researcher with security firm Matasano, and independent researcher Vincenzo Iozzo were able to steal a complete contact list and and cache of pictures stored on the device and write a file to its storage system. They did it by concocting a booby-trapped website that chained together a series of vulnerabilities, including an integer overflow flaw in the phone's Webkit-based browser.

The researchers compared their task of finding and exploiting a Blackberry flaw to finding their way through a labyrinth in the pitch dark because there is virtually no material documenting the internal workings of the Research in Motion handset.

“You can see how the browser works, but if it crashes you don't know anything,” Pinckaers said. “It's a system that no one knows anything about. Basically, it crashes or it doesn't crash, or it takes a very long time to respond. Those are the three options. So you have to (move) very slowly, one step at a time.”

Unlike the iPhone and Microsoft's Windows 7 Mobile, the BlackBerry doesn't come with ASLR or another protection known as data execution prevention and offers only a rudimentary security sandbox to isolate apps from more sensitive parts of the OS, the researchers said.

They had help from researcher Ralf Philipp Weinmann.

Also up for grabs on Day Two were a Dell Venue Pro running Windows 7 Mobile and a Nexus S running Google's Android OS. A researcher who signed up to attack the Dell handset using an exploit in the baseband processor used to connect to carrier networks withdrew at the last minute and may try again on Friday, during the final day of the competition. No one has stepped forward to attack the Android phone. No one attempted to compromise Mozilla's Firefox browser, which was also up for grabs on Thursday.

During Day One of Pwn2Own on Wednesday, the Safari and Internet Explorer browsers toppled under the weight of vulnerabilities that gave attackers full control of the underlying machines. No one attempted to hack Google's Chrome browser.

Now in its fifth year, Pwn2Own is sponsored by HP's TippingPoint division, which uses the exploits to develop signatures for intrusion prevention devices. It's being held at the CanSecWest security conference in Vancouver. ®

Mobile application security vulnerability report

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
BMW's ConnectedDrive falls over, bosses blame upgrade snafu
Traffic flows up 20% as motorway middle lanes miraculously unclog
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.