Printed from

Miller wins Pwn2Own again with iPhone 4 exploit [U]

updated 06:50 pm EST, Fri March 11, 2011

Blackberry Torch 9800 said to be "far less secure"

[Update: Miller says Apple will issue a patch] Hacker Charlie Miller, who has repeatedly won the CanSecWest "Pwn2Own" security competition in Vancouver, seems to enjoy owning Apple products -- but mainly by winning them after demonstrating a security vulnerability. Miller, who has previously compromised an (original) MacBook Air and has since focused mostly on vulnerabilities in Webkit and Safari, used that technique again this year to compromise an iPhone 4, thus winning it. The exploit Miller used has been blocked in the release of iOS 4.3, but the vulnerability in Webkit still exists, he told ZDNet.

The exploit, which relies on return-oriented programming (ROP) to work, can be triggered simply by surfing to a specially-rigged website. On his first attempt, MobileSafari crashed -- but a second attempt allowed Miller access to the iPhone's full Contacts list, including copying the data from it.

With iOS 4.3, which was released the same day as the competition, the vulnerability is much harder to reach -- Apple has quietly added Address Space Layout Randomization (ASLR) to its existing Data Execution Protection (DEP), meaning the technique Miller used would have failed if the contest had been held a few days later. Contest rules stipulate that the iPhone 4 was fully patched (running 4.2.1) at the time.

After the demonstration, Miller posted to his Twitter account that the specifics of the vulnerability were shared with Apple, and that it will soon issue a patch (presumably v4.3.1) of iOS to close the exploit.

Miller, who typically spends weeks or months discovering vulnerabilities and then preparing his technique for public exhibition so that it all happens very quickly, teamed up with a colleague from his workplace, Independent Security Evaluators, to develop the winning exploit. Miller himself is considered one of the top minds in the field of data security, having spent five years at the National Security Agency (NSA) before joining ISE. He also holds a Ph.D. in mathematics from the University of Notre Dame.

He told ZDNet that Apple has greatly improved security on the iPhone over the years. Miller first hacked an iPhone in 2007 via the MobileSafari browser (at the time he could read the log of SMS messages, the address book, the call history and voicemail data). The original iPhone, he said, had no sandboxing and "everything ran as root," making exploits very easy.

Two years later, he partnered with Colin Mulliner to exploit a bug in the way the iPhone handled SMS messages. He admitted that if the iPhone he used in this year's competition had been patched to iOS 4.3 that day, his exploit would not have worked.

In addition to keeping the iPhone 4, Miller also won a $15,000 cash prize. Another team using a similar Webkit exploit easily cracked a Blackberry Torch 9800, obtaining even more information from it than Miller was able to get from the iPhone 4. Blackberries do not yet implement DEP or ASLR or even code signing, and the team behind the cracking described the Blackberry as "way behind the iPhone" in terms of security.[via ZDNet]

By Electronista Staff
Post tools:




  1. Foxypaco

    Fresh-Faced Recruit

    Joined: Apr 2010


    This guy

    is pretty badazz.

  1. normr

    Fresh-Faced Recruit

    Joined: Mar 2002


    Apple needs to hire this guy

    Apple needs to hire this guy or buy the company and lock up their devices so we can continue to enjoy the platform and not have the aggravation that most PC owners have to endure.

  1. testudo

    Forum Regular

    Joined: Aug 2001



    With iOS 4.3, which was released the same day as the competition, the vulnerability is much harder to reach

    Well, he may not have been able to win the iPhone, but that wouldn't have made the problem any less worse. It depends on how quickly the iPhone user base actually updates their phone's OS. Most people, I would guess, may never do it, or not do it for a month or two. h***, unless you actually go looking for it, you may not even know an update exists. Or not until the random time you plug your iPhone into your computer.

Login Here

Not a member of the MacNN forums? Register now for free.


Network Headlines


Most Popular


Recent Reviews

Seagate Wireless

It seems like no matter how much internal storage is included today's mobile devices, we, as users, will always find a way to fill the ...

Lenovo Yoga Tablet 2 (Android, 10.1-inch)

Lenovo is building a bigger name for itself year after year, including its devices expanding beyond desktop computers. The company's l ...

Brother HL-L8250CDN Color Laser Printer

When it comes to selecting a printer, the process is not exactly something most people put a lot of thought into. Printers are often t ...



Most Commented


Popular News