or Connect
AppleInsider › Forums › Software › Mac OS X › Apple's iPhone, Safari on Mac exploited at annual hacking contest
New Posts  All Forums:Forum Nav:

Apple's iPhone, Safari on Mac exploited at annual hacking contest

post #1 of 130
Thread Starter 
Virtually every major browser and operating system were targets at this week's "Pwn2Own" hacking contest, with Apple Safari, Mozilla Firefox, and Internet Explorer 8 vulnerabilities exploited, along with flaws in the iPhone OS.

On the first day of the competition based in Vancouver, British Columbia, Canada, researchers found a way to take advantage of Apple's Safari browser in Mac OS X 10.6 Snow Leopard, its latest operating system, according to CNet.

Unsurprisingly, Charlie Miller, principal security analyst with Independent Security Evaluators, took home the $10,000 prize after he hacked Safari on a MacBook Pro without having access to the machine. He's the same researcher who cracked Safari in Mac OS X last year, taking home the $5,000 prize. He also hacked a MacBook Air in 2008 at the competition.

Miller has also repeatedly said that he believes Macs are a safer alternative to Windows PCs for average users. He cited the lack of malware on the Mac platform as the principal reason for his recommendation.

Last year Miller also discovered an SMS hack in the iPhone that Apple quickly patched after it was made public. But researchers at this year's Pwn2Own found yet another SMS hack to take home a $15,000 prize.

Ralf-Phillip Weinmann, from the University of Luxembourg, and Vincenzo Iozzo, from German company gained access to an iPhone that was not "jailbroken," a procedure that allows users to run unauthorized code and unlock the handset for use on unapproved carriers.

By making a user visit a malicious Web site, the exploit allowed the researchers to access the phone's entire database of text messages, including deleted ones. The two wrote the hack in about two weeks, and the data was received in the competition in under 20 seconds.

The two said the hack could be modified to allow access to more data, such as contacts and photos. The transfer takes place without the victim ever knowing they have been hacked.

By accepting prizes at the Pwn2Own competition, put on by TippingPoint, the exploited methods are revealed only to the affected company so that they can patch the exploits.

Also hacked in this year's competition was Microsoft's Internet Explorer 8 browser. Peter Vreugdenhill, an independent security researcher from the Netherlands, took home a $10,000 prize by taking advantage of two vulnerabilities for a four-part hack that compromised the user's system.

Another person who went solely by Nils, the head of research MWR InfoSecurity in the U.K., discovered an exploit in Firefox in the 64-bit version of Windows 7. He took home a $10,000 prize.
post #2 of 130
It happens every year. it doesn't mean any more than it did the first time.

What counts is what's actually in the wild.

Hackers in these contests pick Apple products to attack first in order to maximize publicity. The fact that hacking a Mac is so popular at these events, combined with the fact that zero self-propagating viruses have ever successfully attacked OS X users in the wild in over 9 years speaks volumes.
post #3 of 130
Quote:
Originally Posted by Quadra 610 View Post

It happens every year. it doesn't mean any more than it did the first time.

What counts is what's actually in the wild.

Actually, I believe this is the first year the iPhone was pwnd.

Every browser (except chrome, evidently) has been pwnd pretty much every year.

Macs are more secure by a combination of superior security architecture (vs. MS) and smaller market share (less desirable target). Security by obscurity is not security tho'.

And Macs are just as susceptible to social engineering attacks as other platforms. The nasty payloads just haven't targeted the Mac community yet.
post #4 of 130
Problem is that this isn't really a true test of how easy it is to hack a Mac. I mean it took them two weeks prior to develop the exploits. NONE of the Mac hacks were done on the spot and some of the hacks won't work anyway because the latest patches fixed that.

No, what would be a true test would be if no one was allowed to bring anything, were not allowed to access a machine for a month prior to the contest, and then perform hacks onsite only. That would be a true test.
post #5 of 130
Quote:
Originally Posted by Quadra 610 View Post

Hackers in these contests pick Apple products to attack first in order to maximize publicity.

I thought they picked Apple products because, if you hack it, you get the hardware.
post #6 of 130
Quote:
Originally Posted by anonymouse View Post

I thought they picked Apple products because, if you hack it, you get the hardware.

That's also a plus.

Anyway, if a hacker has physical access to the machine, all bets are off.
post #7 of 130
What about Chrome, or have they given up trying on that one already... ?
post #8 of 130
So where's the 20 zero-day holes he was talking about like a week and a half ago ?!
post #9 of 130
The hackers don't really pick the Mac. The contest is fair. They draw positions. The organizers decide which devices go in what order. They don't just pick macs either. Firefox on Win 7, Explorer on Win 7, and Chrome on win 7 are also in the contest.

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #10 of 130
Quote:
Originally Posted by evo9 View Post

What about Chrome, or have they given up trying on that one already... ?

Chrome is next up. Hasn't been hacked because it is on today's agenda. The other were yesterday.

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #11 of 130
Quote:
Originally Posted by mstone View Post

The hackers don't really pick the Mac. The contest is fair. They draw positions. The organizers decide which devices go in what order. They don't just pick macs either. Firefox on Win 7, Explorer on Win 7, and Chrome on win 7 are also in the contest.

Well obviously then the organizers had it in for Apple. They chose Apple products to go first and be hacked by the best hackers. They probably even had keyloggers pre-installed.

iPad2 16 GB
iPhone 5 32 GB

Reply

iPad2 16 GB
iPhone 5 32 GB

Reply
post #12 of 130
Quote:
Originally Posted by Quadra 610 View Post

It happens every year. it doesn't mean any more than it did the first time.

What counts is what's actually in the wild.

Hackers in these contests pick Apple products to attack first in order to maximize publicity. The fact that hacking a Mac is so popular at these events, combined with the fact that zero self-propagating viruses have ever successfully attacked OS X users in the wild in over 9 years speaks volumes.

That is not entirely correct... the hack them becuse they are low hanguing fruit. The Mac as been the first computer hacked 3 years in row so far. But this was the firstime the iPhone was compromised. This will happen more an more as Apple gains market share. This is the #1 reason Macs are slow to dent the business world.....

Tallest Skil:


"Eventually Google will have their Afghanistan with Oracle and collapse"

"The future is Apple, Google, and a third company that hasn't yet been created."


 


 

Reply

Tallest Skil:


"Eventually Google will have their Afghanistan with Oracle and collapse"

"The future is Apple, Google, and a third company that hasn't yet been created."


 


 

Reply
post #13 of 130
Quote:
Originally Posted by lowededwookie View Post

Problem is that this isn't really a true test of how easy it is to hack a Mac. I mean it took them two weeks prior to develop the exploits. NONE of the Mac hacks were done on the spot and some of the hacks won't work anyway because the latest patches fixed that.

No, what would be a true test would be if no one was allowed to bring anything, were not allowed to access a machine for a month prior to the contest, and then perform hacks onsite only. That would be a true test.

A true test of what exactly? The point of this is that it can be hacked; not how long it takes. The event is called pwn2own, not pwnfast2own.

Keep the blinders on, it's safe under there.
Can I get my icons in cornflower blue?
Reply
Can I get my icons in cornflower blue?
Reply
post #14 of 130
Quote:
Originally Posted by freddych View Post

Well obviously then the organizers had it in for Apple. They chose Apple products to go first and be hacked by the best hackers. They probably even had keyloggers pre-installed.


Did you even read the article or do any independent googling? A totally patched Safari visited a malicious web page.

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #15 of 130
They have hacking contests? Why is this legal???
post #16 of 130
Quote:
Originally Posted by mstone View Post

Did you even read the article or do any independent googling? A totally patched Safari visited a malicious web page.

Obviously they are making this up.

iPad2 16 GB
iPhone 5 32 GB

Reply

iPad2 16 GB
iPhone 5 32 GB

Reply
post #17 of 130
I believe Miller was given Administrator access to the system as well . . .
post #18 of 130
This is one of those things in life that are both relevant and pointless at the same time. It's great to see attention put toward making our computers safer by way of competition, but the exploits seem mostly to be important to a very select few people

Spending two weeks to write code that could extract my SMS history is noteworthy, and could be pushed to a lot of hacked sites but without getting root access very few are going to care. I am curious how any webcode can call other services on the iPhone and hope Apple does a better job sandboxing the iPhone's browser, but I won't lose sleep over it if they don't.


Quote:
Originally Posted by mstone View Post

Chrome is next up. Hasn't been hacked because it is on today's agenda. The other were yesterday.

Have the other handsets gone yet?
Dick Applebaum on whether the iPad is a personal computer: "BTW, I am posting this from my iPad pc while sitting on the throne... personal enough for you?"
Reply
Dick Applebaum on whether the iPad is a personal computer: "BTW, I am posting this from my iPad pc while sitting on the throne... personal enough for you?"
Reply
post #19 of 130
Quote:
Originally Posted by Quadra 610 View Post

I believe Miller was given Administrator access to the system as well . . .

There is no point in organizing the public event at a high profile computer security conference if it is not going to be fair and audited by independent experts. That would just be silly.

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #20 of 130
Quote:
Originally Posted by reliason View Post

Macs are more secure by a combination of superior security architecture (vs. MS) ...

That's not true anymore since Vista. It's even the other way around since the "Secure Development Lifecycle" initiative. But IE was created before this started so that's why IE should be "cleaned" from the ground up.
post #21 of 130
Quote:
Originally Posted by solipsism View Post

Have the other handsets gone yet?

not yet. You can follow it here

http://twitter.com/thezdi

Also here

http://dvlabs.tippingpoint.com/blog/...5/pwn2own-2010

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #22 of 130
Quote:
Originally Posted by freddych View Post

Well obviously then the organizers had it in for Apple. They chose Apple products to go first and be hacked by the best hackers. They probably even had keyloggers pre-installed.

they choose apple because it will give them more publicity

if they chose to hack ie which has already been hacked since it was born, numerous time, it really wouldn't be very meaningful...
post #23 of 130
Quote:
Originally Posted by doyourownthing View Post

they choose apple because it will give them more publicity

if they chose to hack ie which has already been hacked since it was born, numerous time, it really wouldn't be very meaningful...

Actually IE 8 on Win 7 proved to be extremely difficult to hack and required a multi step process to finally gain access.

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #24 of 130
Quote:
Originally Posted by NewMacMan View Post

They have hacking contests? Why is this legal???

In this case, one of the rules of the competition is that you don't release the exploit publicly. The details of the exploit are given to the organizers who in turn give them to the manufacturers so they can correct the vulnerability.

It is actually a good thing. The publicity generated by the event puts pressure on the manufacturers to act.
post #25 of 130
Quote:
Originally Posted by geekdad View Post

That is not entirely correct... the hack them becuse they are low hanguing fruit. The Mac as been the first computer hacked 3 years in row so far. But this was the firstime the iPhone was compromised. This will happen more an more as Apple gains market share. This is the #1 reason Macs are slow to dent the business world.....

Please think before you post on a forum like this. What you say here is not only inaccurate, it's almost verbatim what the "contest" organisers would like you to believe in defiance of the facts.

It's a contest that professes to determine the very things you think it does, but in fact is completely rigged in terms of what hacks are attempted, who goes first, and what kind of access they get. The one thing this contest cannot ascertain, is which of the various computer systems or browsers are more vulnerable. This inability is designed right into the structure of the event.

The danger is that people like you reading accounts of the contest, assume that the first browser or OS to be compromised is the most insecure. This is why many serious security specialists don't participate in the contest. It directly misleads the public into thinking that the results actually man anything in the real world.
post #26 of 130
Quote:
Originally Posted by NewMacMan View Post

They have hacking contests? Why is this legal???

It gives people an incentive to find vulnerabilities and report them so they can be patched.
The key to enjoying these forums: User CP -> Edit Ignore List
Reply
The key to enjoying these forums: User CP -> Edit Ignore List
Reply
post #27 of 130
Firefox plus AdBlock; FlashBlock and NoScript, on a a Mac. That's a pretty secure combo I reckon.
Believe nothing, no matter where you heard it, not even if I have said it, if it does not agree with your own reason and your own common sense.
Buddha
Reply
Believe nothing, no matter where you heard it, not even if I have said it, if it does not agree with your own reason and your own common sense.
Buddha
Reply
post #28 of 130
Quote:
Originally Posted by Prof. Peabody View Post

Please think before you post on a forum like this. What you say here is not only inaccurate, it's almost verbatim what the "contest" organisers would like you to believe in defiance of the facts.

It's a contest that professes to determine the very things you think it does, but in fact is completely rigged in terms of what hacks are attempted, who goes first, and what kind of access they get. The one thing this contest cannot ascertain, is which of the various computer systems or browsers are more vulnerable. This inability is designed right into the structure of the event.

The danger is that people like you reading accounts of the contest, assume that the first browser or OS to be compromised is the most insecure. This is why many serious security specialists don't participate in the contest. It directly misleads the public into thinking that the results actually man anything in the real world.

You should think first then post......
Everything I wrote was acurrate. Don't attack me persoanlly...we can disagree but quit the personal attack.........
I work for a fortune 100 company. We are testing 200 iPhones in our highly regulated extremely audited corporate environment. They have so many limitations in the business world concerning security and administration it is not even worth comparing to other solutions. We have 2000 Macs in our Media Departments that are segmented because of the vulerabilities from the rest of the corpoate network. Mac OSX is not as secure as you think it is just because you like your Mac and think it is cool. You can cite that there are no viruses in the wild for the Mac platform but you are kidding yourself. The can be compromised as easily or more easily than anyother system. This is fact.....
I am an Apple fan. I have Macs at home AND I have an iPhone and I will buy 2 iPads for my wife and my teenage son. But I also know their limitations. Alos I am NOT an Apple hater just becuse I disagree with you. Look up my posts and threads and you will see I don't post negative Apple stuff here.........

Tallest Skil:


"Eventually Google will have their Afghanistan with Oracle and collapse"

"The future is Apple, Google, and a third company that hasn't yet been created."


 


 

Reply

Tallest Skil:


"Eventually Google will have their Afghanistan with Oracle and collapse"

"The future is Apple, Google, and a third company that hasn't yet been created."


 


 

Reply
post #29 of 130
Quote:
Originally Posted by geekdad View Post

That is not entirely correct... the hack them becuse they are low hanguing fruit. The Mac as been the first computer hacked 3 years in row so far. But this was the firstime the iPhone was compromised. This will happen more an more as Apple gains market share. This is the #1 reason Macs are slow to dent the business world.....

Can you explain what you mean by "first"?
Do they line up every device, and every OS, for each contestant, and then say "GO!"
And the first device / system to fall is the first to fall (ie, the weakest).
Most headline I read about this contest seem to suggest that OS X was hacked; and that the others are still being worked on, and not yet successfully hacked.
But I have no idea how the competition is actually setup.
Is Charlie Miller unable to hack a Windows machine?

I mean; if they do Safari hacks on day 1, and Internet Explorer isn't up for hacking till day 3, one wouldn't say, "Oooh burn!; Safari was hacked right on the first day!! Internet Explorer is still standing!"

I'm sure I'm missing something here.
post #30 of 130
Quote:
Originally Posted by reliason View Post

Actually, I believe this is the first year the iPhone was pwnd.

Every browser (except chrome, evidently) has been pwnd pretty much every year.

Macs are more secure by a combination of superior security architecture (vs. MS) and smaller market share (less desirable target). Security by obscurity is not security tho'.

And Macs are just as susceptible to social engineering attacks as other platforms. The nasty payloads just haven't targeted the Mac community yet.

Do you even know what social engineering is? Anything and anyone is susceptible someone good at social engineering. It's easy to hack when you're given passwords and codes.
"Few things are harder to put up with than the annoyance of a good example" Mark Twain
"Just because something is deemed the law doesn't make it just" - SolipsismX
Reply
"Few things are harder to put up with than the annoyance of a good example" Mark Twain
"Just because something is deemed the law doesn't make it just" - SolipsismX
Reply
post #31 of 130
Quote:
Originally Posted by isaidso View Post

Can you explain what you mean by "first"?
Do they line up every device, and every OS, for each contestant, and then say "GO!"
And the first device / system to fall is the first to fall (ie, the weakest).
Most headline I read about this contest seem to suggest that OS X was hacked; and that the others are still being worked on, and not yet successfully hacked.
But I have no idea how the competition is actually setup.
Is Charlie Miller unable to hack a Windows machine?

I mean; if they do Safari hacks on day 1, and Internet Explorer isn't up for hacking till day 3, one wouldn't say, "Oooh burn!; Safari was hacked right on the first day!! Internet Explorer is still standing!"

I'm sure I'm missing something here.

They setup the fully patched machines and then the hackers try to compromise the machines. The Mac was compromised first for...I think 3 years in a row.......
All of this can be found if you Google Pwn2Own. Here is one link to tons of stuff concerning this subject...don't take my word for it read it for yourself..
http://www.computerworld.com/s/artic...?taxonomyId=17

Tallest Skil:


"Eventually Google will have their Afghanistan with Oracle and collapse"

"The future is Apple, Google, and a third company that hasn't yet been created."


 


 

Reply

Tallest Skil:


"Eventually Google will have their Afghanistan with Oracle and collapse"

"The future is Apple, Google, and a third company that hasn't yet been created."


 


 

Reply
post #32 of 130
Quote:
Originally Posted by geekdad View Post

They setup the fully patched machines and then the hackers try to compromise the machines. The Mac was compromised first for...

Actually they draw random time slots out of a hat each day.

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #33 of 130
Quote:
Originally Posted by NewMacMan View Post

They have hacking contests? Why is this legal???

What's illegal about it? They're not compromising any government agency or cooperation. Just a stand alone device. All hacks and/or exploits are reported to the correct parties so patches can be made.
"Few things are harder to put up with than the annoyance of a good example" Mark Twain
"Just because something is deemed the law doesn't make it just" - SolipsismX
Reply
"Few things are harder to put up with than the annoyance of a good example" Mark Twain
"Just because something is deemed the law doesn't make it just" - SolipsismX
Reply
post #34 of 130
Quote:
Originally Posted by geekdad View Post

They setup the fully patched machines and then the hackers try to compromise the machines. The Mac was compromised first for...I think 3 years in a row.......
All of this can be found if you Google Pwn2Own. Here is one link to tons of stuff concerning this subject...don't take my word for it read it for yourself..
http://www.computerworld.com/s/artic...?taxonomyId=17

That magazine caters to the windows world, nothing said in that article can be construed as fact, its mostly FUD.
post #35 of 130
Quote:
Originally Posted by freddych View Post

Well obviously then the organizers had it in for Apple. They chose Apple products to go first and be hacked by the best hackers. They probably even had keyloggers pre-installed.

Okay lets be a little adult about this...

The went 'after' Apple because it has the best 'in the wild' track record when it comes to security AND Apple has no quams about boasting that fact.

Going after ANY Microsoft product?!?! Perhaps a project that the 'preschoolers' might find mildly challenging but if you notice nobody gets too much 'street cred' for boasting their latest attack on Microsoft... UNLESS perhaps the OS was just release or 'newly patched' to be 'even more secure!'

Linux is so open its not even worth talking about... It's like bragging you stole a boat load of cash when in fact you simply took a few pennies form the 'need a penny' container at the 7-11.

So yes.. the SUPER SPOTLIGHT is clearly shown on hackers who tackle Apple products and ... rightfully so...

BUT as others have already pointed out... this crap is done EVERY YEAR but these folks and yes somehow another year ticks by without an significant* virus, worm or trojan making assaults OS X based systems or devices.

* I used 'significant' simply because I couldn't with a 100% certainty say nobody on a Mac based system was ever attacked or infected by a virus in the past year while running its native OS (OS X and/or iPhone OS) not dual booting or virtual machines running alternate OS... That kinda crap clearly wouldn't count!
Apple Fanboy: Anyone who started liking Apple before I did!
Reply
Apple Fanboy: Anyone who started liking Apple before I did!
Reply
post #36 of 130
Quote:
Originally Posted by mstone View Post

Actually they draw random time slots out of a hat each day.

You are correct........

Tallest Skil:


"Eventually Google will have their Afghanistan with Oracle and collapse"

"The future is Apple, Google, and a third company that hasn't yet been created."


 


 

Reply

Tallest Skil:


"Eventually Google will have their Afghanistan with Oracle and collapse"

"The future is Apple, Google, and a third company that hasn't yet been created."


 


 

Reply
post #37 of 130
Quote:
Originally Posted by DaveGee View Post

Okay lets be a little adult about this...

The went 'after' Apple because it has the best 'in the wild' track record when it comes to security AND Apple has no quams about boasting that fact.

Going after ANY Microsoft product?!?! Perhaps a project that the 'preschoolers' might find mildly challenging but if you notice nobody gets too much 'street cred' for boasting their latest attack on Microsoft... UNLESS perhaps the OS was just release or 'newly patched' to be 'even more secure!'

Linux is so open its not even worth talking about... It's like bragging you stole a boat load of cash when in fact you simply took a few pennies form the 'need a penny' container at the 7-11.

So yes.. the SUPER SPOTLIGHT is clearly shown on hackers who tackle Apple products and ... rightfully so...

BUT as others have already pointed out... this crap is done EVERY YEAR but these folks and yes somehow another year ticks by without an significant* virus, worm or trojan making assaults OS X based systems or devices.

* I used 'significant' simply because I couldn't with a 100% certainty say nobody on a Mac based system was ever attacked or infected by a virus in the past year while running its native OS (OS X and/or iPhone OS) not dual booting or virtual machines running alternate OS... That kinda crap clearly wouldn't count!

Most of what you wrote was correct except...that the Mac was compromised first based on the amount of time it took to compromise the system. If i remember right the Ubuntu system was not compromised or was compromised last....... But for 3 years in a row the Mac was compromised first....and NOT by a vurus but by malicious coded websites via Safari. The exploits the last 2 years were well known and reported to Apple but were not patched. Last year the Mac was compromised in 2 minutes......

Tallest Skil:


"Eventually Google will have their Afghanistan with Oracle and collapse"

"The future is Apple, Google, and a third company that hasn't yet been created."


 


 

Reply

Tallest Skil:


"Eventually Google will have their Afghanistan with Oracle and collapse"

"The future is Apple, Google, and a third company that hasn't yet been created."


 


 

Reply
post #38 of 130
"This is the #1 reason Macs are slow to dent the business world..."

I don't think so.
post #39 of 130
Quote:
Originally Posted by DaveGee View Post

The went 'after' Apple because it has the best 'in the wild' track record when it comes to security AND Apple has no quams about boasting that fact.

I think there is a lot of misinformation in this thread. Please do a little research. I know there is not a lot of info available for this year's contest. There is no blow by blow account like an Apple Keynote, but this is sort of how it works:

Security researchers register for the contest. They are prepared in advance for a certain exploit on a certain platform. They pick random time slots out of a hat. It just so happens that the iPhone slot was chosen first by a certain group this year. That is not to say that there weren't other groups who also had a prepared exploit against a certain device but didn't get a chance because there is only one prize per platform/browser.

The person who was registered to hack the Nokia went missing in action so no result for that device. Also it appears that there was no registered party for the Chrome platform so it went untested as well.

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #40 of 130
Quote:
Originally Posted by DaveGee View Post

Okay lets be a little adult about this...

The went 'after' Apple because it has the best 'in the wild' track record when it comes to security AND Apple has no quams about boasting that fact.

But notice that nowhere does Apple say that OS X is the most secure.

http://www.apple.com/macosx/security/
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Mac OS X
AppleInsider › Forums › Software › Mac OS X › Apple's iPhone, Safari on Mac exploited at annual hacking contest