Feeds

iPhone and BlackBerry brought down in hacker competition

Attack of the killer drive-bys

High performance access to file storage

Smartphones from Apple and Research in Motion were the latest devices to take a beating at an annual hacker contest that has come to expose the inherent weaknesses of internet communication.

Apple's iPhone 4 was brought down by a drive-by attack that exploited a heap overflow in code related to the handset's Safari browser. It was the fourth year in a row that Charlie Miller, a principal security analyst at Independent Security Evaluators, landed a big prize in the Pwn2Own competition. In past years, he successfully commandeered fully patched Mac laptops after using fuzzing software to identify bugs in Apple's Safari browser. Using the same technique, it took him less than a week to discover a flaw in the iPhone software.

“It's a lot different,” he said, referring to the difference of fuzzing an iPhone simulator and software for the Mac. “There's not as much code to exploit, and exploiting it is harder because you can't just get shell code because the way it's designed it's really hard to just put your code in there and run it.”

Miller's exploit succeeded 24 hours after Apple released an iPhone update that blocks his exploit for working properly. That's because iOS 4.3 adds a vulnerability mitigation feature known as ASLR, or address space layout randomization, that makes it hard to predict where code libraries and malicious payloads will be in a device's memory.

“If you update your iPhone, my exploit won't work, and it would take a lot of work to make it work,” said Miller, who collaborated on the exploit with fellow Independent Security Evaluators researcher Dion Blazakis.

Under contest rules, software versions were locked two weeks ago, allowing Miller to walk away with $15,000 in prize money and the iPhone that he compromised.

Also compromised on Day Two of Pwn2Own was a BlackBerry Torch 9800 running BlackBerry 6 OS. Willem Pinckaers, a researcher with security firm Matasano, and independent researcher Vincenzo Iozzo were able to steal a complete contact list and and cache of pictures stored on the device and write a file to its storage system. They did it by concocting a booby-trapped website that chained together a series of vulnerabilities, including an integer overflow flaw in the phone's Webkit-based browser.

The researchers compared their task of finding and exploiting a Blackberry flaw to finding their way through a labyrinth in the pitch dark because there is virtually no material documenting the internal workings of the Research in Motion handset.

“You can see how the browser works, but if it crashes you don't know anything,” Pinckaers said. “It's a system that no one knows anything about. Basically, it crashes or it doesn't crash, or it takes a very long time to respond. Those are the three options. So you have to (move) very slowly, one step at a time.”

Unlike the iPhone and Microsoft's Windows 7 Mobile, the BlackBerry doesn't come with ASLR or another protection known as data execution prevention and offers only a rudimentary security sandbox to isolate apps from more sensitive parts of the OS, the researchers said.

They had help from researcher Ralf Philipp Weinmann.

Also up for grabs on Day Two were a Dell Venue Pro running Windows 7 Mobile and a Nexus S running Google's Android OS. A researcher who signed up to attack the Dell handset using an exploit in the baseband processor used to connect to carrier networks withdrew at the last minute and may try again on Friday, during the final day of the competition. No one has stepped forward to attack the Android phone. No one attempted to compromise Mozilla's Firefox browser, which was also up for grabs on Thursday.

During Day One of Pwn2Own on Wednesday, the Safari and Internet Explorer browsers toppled under the weight of vulnerabilities that gave attackers full control of the underlying machines. No one attempted to hack Google's Chrome browser.

Now in its fifth year, Pwn2Own is sponsored by HP's TippingPoint division, which uses the exploits to develop signatures for intrusion prevention devices. It's being held at the CanSecWest security conference in Vancouver. ®

High performance access to file storage

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
NSA denies it knew about and USED Heartbleed encryption flaw for TWO YEARS
Agency forgets it exists to protect communications, not just spy on them
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.