Feeds

iPhone and BlackBerry brought down in hacker competition

Attack of the killer drive-bys

Secure remote control for conventional and virtual desktops

Smartphones from Apple and Research in Motion were the latest devices to take a beating at an annual hacker contest that has come to expose the inherent weaknesses of internet communication.

Apple's iPhone 4 was brought down by a drive-by attack that exploited a heap overflow in code related to the handset's Safari browser. It was the fourth year in a row that Charlie Miller, a principal security analyst at Independent Security Evaluators, landed a big prize in the Pwn2Own competition. In past years, he successfully commandeered fully patched Mac laptops after using fuzzing software to identify bugs in Apple's Safari browser. Using the same technique, it took him less than a week to discover a flaw in the iPhone software.

“It's a lot different,” he said, referring to the difference of fuzzing an iPhone simulator and software for the Mac. “There's not as much code to exploit, and exploiting it is harder because you can't just get shell code because the way it's designed it's really hard to just put your code in there and run it.”

Miller's exploit succeeded 24 hours after Apple released an iPhone update that blocks his exploit for working properly. That's because iOS 4.3 adds a vulnerability mitigation feature known as ASLR, or address space layout randomization, that makes it hard to predict where code libraries and malicious payloads will be in a device's memory.

“If you update your iPhone, my exploit won't work, and it would take a lot of work to make it work,” said Miller, who collaborated on the exploit with fellow Independent Security Evaluators researcher Dion Blazakis.

Under contest rules, software versions were locked two weeks ago, allowing Miller to walk away with $15,000 in prize money and the iPhone that he compromised.

Also compromised on Day Two of Pwn2Own was a BlackBerry Torch 9800 running BlackBerry 6 OS. Willem Pinckaers, a researcher with security firm Matasano, and independent researcher Vincenzo Iozzo were able to steal a complete contact list and and cache of pictures stored on the device and write a file to its storage system. They did it by concocting a booby-trapped website that chained together a series of vulnerabilities, including an integer overflow flaw in the phone's Webkit-based browser.

The researchers compared their task of finding and exploiting a Blackberry flaw to finding their way through a labyrinth in the pitch dark because there is virtually no material documenting the internal workings of the Research in Motion handset.

“You can see how the browser works, but if it crashes you don't know anything,” Pinckaers said. “It's a system that no one knows anything about. Basically, it crashes or it doesn't crash, or it takes a very long time to respond. Those are the three options. So you have to (move) very slowly, one step at a time.”

Unlike the iPhone and Microsoft's Windows 7 Mobile, the BlackBerry doesn't come with ASLR or another protection known as data execution prevention and offers only a rudimentary security sandbox to isolate apps from more sensitive parts of the OS, the researchers said.

They had help from researcher Ralf Philipp Weinmann.

Also up for grabs on Day Two were a Dell Venue Pro running Windows 7 Mobile and a Nexus S running Google's Android OS. A researcher who signed up to attack the Dell handset using an exploit in the baseband processor used to connect to carrier networks withdrew at the last minute and may try again on Friday, during the final day of the competition. No one has stepped forward to attack the Android phone. No one attempted to compromise Mozilla's Firefox browser, which was also up for grabs on Thursday.

During Day One of Pwn2Own on Wednesday, the Safari and Internet Explorer browsers toppled under the weight of vulnerabilities that gave attackers full control of the underlying machines. No one attempted to hack Google's Chrome browser.

Now in its fifth year, Pwn2Own is sponsored by HP's TippingPoint division, which uses the exploits to develop signatures for intrusion prevention devices. It's being held at the CanSecWest security conference in Vancouver. ®

New hybrid storage solutions

More from The Register

next story
Google recommends pronounceable passwords
Super Chrome goes into battle with Mr Mxyzptlk
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Reddit wipes clean leaked celeb nudie pics, tells users to zip it
Now we've had all THAT TRAFFIC, we 'deplore' this theft
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
TorrentLocker unpicked: Crypto coding shocker defeats extortionists
Lousy XOR opens door into which victims can shove a foot
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.