updated 06:50 pm EST, Fri March 11, 2011
Blackberry Torch 9800 said to be "far less secure"
[Update: Miller says Apple will issue a patch] Hacker Charlie Miller, who has repeatedly won the CanSecWest "Pwn2Own" security competition in Vancouver, seems to enjoy owning Apple products -- but mainly by winning them after demonstrating a security vulnerability. Miller, who has previously compromised an (original) MacBook Air and has since focused mostly on vulnerabilities in Webkit and Safari, used that technique again this year to compromise an iPhone 4, thus winning it. The exploit Miller used has been blocked in the release of iOS 4.3, but the vulnerability in Webkit still exists, he told ZDNet.
The exploit, which relies on return-oriented programming (ROP) to work, can be triggered simply by surfing to a specially-rigged website. On his first attempt, MobileSafari crashed -- but a second attempt allowed Miller access to the iPhone's full Contacts list, including copying the data from it.
With iOS 4.3, which was released the same day as the competition, the vulnerability is much harder to reach -- Apple has quietly added Address Space Layout Randomization (ASLR) to its existing Data Execution Protection (DEP), meaning the technique Miller used would have failed if the contest had been held a few days later. Contest rules stipulate that the iPhone 4 was fully patched (running 4.2.1) at the time.
After the demonstration, Miller posted to his Twitter account that the specifics of the vulnerability were shared with Apple, and that it will soon issue a patch (presumably v4.3.1) of iOS to close the exploit.
Miller, who typically spends weeks or months discovering vulnerabilities and then preparing his technique for public exhibition so that it all happens very quickly, teamed up with a colleague from his workplace, Independent Security Evaluators, to develop the winning exploit. Miller himself is considered one of the top minds in the field of data security, having spent five years at the National Security Agency (NSA) before joining ISE. He also holds a Ph.D. in mathematics from the University of Notre Dame.
He told ZDNet that Apple has greatly improved security on the iPhone over the years. Miller first hacked an iPhone in 2007 via the MobileSafari browser (at the time he could read the log of SMS messages, the address book, the call history and voicemail data). The original iPhone, he said, had no sandboxing and "everything ran as root," making exploits very easy.
Two years later, he partnered with Colin Mulliner to exploit a bug in the way the iPhone handled SMS messages. He admitted that if the iPhone he used in this year's competition had been patched to iOS 4.3 that day, his exploit would not have worked.
In addition to keeping the iPhone 4, Miller also won a $15,000 cash prize. Another team using a similar Webkit exploit easily cracked a Blackberry Torch 9800, obtaining even more information from it than Miller was able to get from the iPhone 4. Blackberries do not yet implement DEP or ASLR or even code signing, and the team behind the cracking described the Blackberry as "way behind the iPhone" in terms of security.[via ZDNet]