(http://i53.tinypic.com/2dqln3c.jpg)
(http://i56.tinypic.com/241jcl2.jpg)
The iPhone 4 and BlackBerry Torch 9800 didn’t resist for long against attacks made during the Pwn2Own competition. No participant has taken on the Google Chrome browser, Firefox or any Android or Windows Phone 7 powered Smartphone’s yet during the competition.
On the second day of the Pwn2Own hacking competition, attentions were turned towards Smartphones. After web browsers installed on Mac OS X Snow Leopard and Windows 7 machines, it was now the turn of Smartphone’s to pass their test of fire.
Running iOS 4.2.1, the iPhone 4 couldn’t hold out against an attack conducted by Charlie Miller (a regular competitor who has recorded numerous victories) which was developed with the help of Dion Blazakis from Independent Security Evaluators.
Charlie Miller explained to ZDNet that the attack required a user to view a trapped web page. A fault in Mobile Safari was exploited to steal contacts from the iPhone’s address book. The exploitation got around the DEP protection (Data Execution Prevention), but this was only possible after crashing the browser and restarting it.
Exact details of the exploited vulnerability are being kept secret. The competitions sponsor, TippingPoint, will communicate details of the issue to Apple who will have six months to correct the issue before i twill be publically divulged. Apple nevertheless released update 4.3 to iOS last week, with Charlie Miller’s exploitation failing against the new version. Apple has actually now added an additional layer of protection ASLR (Address Space Layout Randomization).
ASLR helps prevent attackers from accessing known memory addresses (predetermined) which can be used in memory buffer over flows, while DEP helps prevent attacks by precenting malicious code from being executed in non-executable memory.
DEP and ASLR are measures which we find in Mac OS X and the latest versions of Windows. They have already been bypassed under certain conditions. Charlie Miller nevertheless estimates that this have become rather difficult with iOS 4.3. For their exploitation, Charlie Miller and Dion Blazakis took home the $15000 in prize money and an iPhone 4.
The following victim was the Blackberry Torch 9800 running Blackberry 6 OS. An international team (Vincenzo Iozzo, Willem Pinckaers, Ralf Philipp Weinmann) exploited numerous vulnerabilities present in WebKit. The exploit wasn’t the easiest to develop in the sense that very little useful information is known about the BlackBerry system.
The team started from the principle that there was a browser and Java virtual machine, and that they could be able to use this to penetrate deeper into the system. There is no ASLR or DEP protection to bypass though. These features should be included on the future versions of BlackBerry.
Last minute withdrawals
The competition didn’t go any further than this. The participants registered to attack the Dell Venue Pro running Windows Phone 7 and the Nexus S running Android didn’t show up. This is likely due to exploitations which were not reliable enough, but when you also see the list of people registered for the Dell Venue Pro, the name George Hotz did pop up. It is understandable that he wasn’t present since he currently has some legal issues to deal with since he jail broke Sony’s PS3.
There is still a final day to run in the Pwn2Own competition, but there is likely to be little action seen. On the first day, the Safari browser on Mac OS X and Internet Explorer 8 on Windows 7 fell. This wasn’t the case with Google Chrome, as no one took up the challenge. The same went for Firefox 3.6, with the competitor withdrawing from the competition.