updated 09:02 pm EDT, Wed September 19, 2012
Vulnerability exposes contacts, photos, but not SMS or email
A vulnerability in WebKit, the engine behind Mobile Safari and other iOS browsers, allowed two Dutch professional security researchers to come up with an exploit that compromised an iPhone 4S and won the pair a $30,000 cash prize at the mobile Pwn2Own contest in Amsterdam. While the finished exploit can be deployed in minutes, finding a vulnerability to use in WebKit and developing the technique took about three weeks of dedicated work, Certified Secure CEO Joost Pol told interviewers. The vulnerability is not yet patched in iOS 6, the team says.
After finding the zero-day vulnerability in WebKit, Pol and Daan Keuper put many other techniques on top of the exploit in order to corrupt the memory of the browser and inject new instructions, which told it to surf to a malicious website. The hack bypassed the code signing normally required, which allowed the duo to access photos, videos, contacts and browsing history. Email and SMS were not available, they said, because they were sealed off from the memory corruption and encrypted as well.
They pair pointed out that even with the hack they discovered, iOS is undoubtedly the most secure mobile platform. Since the exploit they found could be used for harm, they decided to purge their machines of the code and erased all traces of it. "If [the attack they developed was seen] in the wild, [hackers] could embed the exploit into an ad on a big advertising network and cause some major damage," Pol said.
Until the problem is resolved, and particularly for users on Android and especially Blackberry, Pol advised that they "should never be doing ... anything of value on their mobile phone." Though the researchers destroyed their own code, the vulnerability exists in all versions of WebKit, even the latest in iOS 6, which was released today. Because the technique was publicly demonstrated, it's likely that other hackers will soon rediscover the issue and develop their own exploits. Pol provided the vulnerability and proof-of-concept code to the contest organizers, meaning it is possible the exploit could leak into the hacker community before Apple (which will be given a copy) can produce an update.
A Galaxy S III smartphone was also hacked, using a vulnerability in the Near-Field Communication software on the device -- possibly a concern that kept the technology out of the new iPhone 5, along with the lack of maturity of NFC use in North American retail. The hack allowed attackers to take full control of the smartphone, accessing all user data by simply "beaming" an exploit from one SIII to another.