iPhone 4 Exploited at Pwn2Own in Vancouver

The iPhone was hacked last year at the 2010 CanSecWest conference held in Vancouver. This is where the Pwn2Own contest takes place, and at this year’s conference, the iPhone 4 was exploited easily once again.

Charlie Miller teamed up with his colleague Dion Blazakis on the winning exploit. Miller has won the event three years in a row now. Here’s how he exploited the iPhone 4, via ZDNet:

The attack simply required that the target iPhone surfs to a rigged web site. On first attempt at the drive-by exploit, the iPhone browser crashed but once it was relaunched, Miller was able to hijack the entire address book.

Apple Has Added ASLR to Further Secure iOS 4.3

Here are some interesting notes from Miller’s interview with ZDNet:

– the attack works on iOS 4.2.1, but fails against iOS 4.3
– Apple has quietly added ASLR (address space layout randomization) to iOS 4.3, which makes it harder for iOS to be hacked.
– Miller’s winning exploit used ROP (return oriented programming) to bypass DEP.

Miller Says iPhone Security Has Improved Over the Years

The original iPhone lacked basic security, but Apple has put some considerable effort over the years to improve iOS, according to Miller:

“The first one [in 2007] was really, really easy. They had nothing, no sandboxing. Everything was running as root. It was super easy. The SMS one [in 2009] was harder because of DEP but there were no sandbox issues because the process that controlled SMSes wasn’t in a sandbox.”

“As of 4.3, because of the new ASLR, it will be much harder,” Miller added.

Miller’s efforts earned him a $15,000 prize, and he got to keep the pwn3d iPhone 4.

Even though iOS 4.3 has ASLR, there still is an exploit that is available because security expert Stefan Esser posted earlier a video of his iPad on iOS 4.3 running an untethered jailbreak. Esser was one of the earliest proponents of ASLR security for iOS, and it appears Apple has taken note.

[ZDNet, CanSecWest 2011]