Apple's iPhone, Safari on Mac exploited at annual hacking contest

Posted:
in macOS edited January 2014
Virtually every major browser and operating system were targets at this week's "Pwn2Own" hacking contest, with Apple Safari, Mozilla Firefox, and Internet Explorer 8 vulnerabilities exploited, along with flaws in the iPhone OS.



On the first day of the competition based in Vancouver, British Columbia, Canada, researchers found a way to take advantage of Apple's Safari browser in Mac OS X 10.6 Snow Leopard, its latest operating system, according to CNet.



Unsurprisingly, Charlie Miller, principal security analyst with Independent Security Evaluators, took home the $10,000 prize after he hacked Safari on a MacBook Pro without having access to the machine. He's the same researcher who cracked Safari in Mac OS X last year, taking home the $5,000 prize. He also hacked a MacBook Air in 2008 at the competition.



Miller has also repeatedly said that he believes Macs are a safer alternative to Windows PCs for average users. He cited the lack of malware on the Mac platform as the principal reason for his recommendation.



Last year Miller also discovered an SMS hack in the iPhone that Apple quickly patched after it was made public. But researchers at this year's Pwn2Own found yet another SMS hack to take home a $15,000 prize.



Ralf-Phillip Weinmann, from the University of Luxembourg, and Vincenzo Iozzo, from German company gained access to an iPhone that was not "jailbroken," a procedure that allows users to run unauthorized code and unlock the handset for use on unapproved carriers.



By making a user visit a malicious Web site, the exploit allowed the researchers to access the phone's entire database of text messages, including deleted ones. The two wrote the hack in about two weeks, and the data was received in the competition in under 20 seconds.



The two said the hack could be modified to allow access to more data, such as contacts and photos. The transfer takes place without the victim ever knowing they have been hacked.



By accepting prizes at the Pwn2Own competition, put on by TippingPoint, the exploited methods are revealed only to the affected company so that they can patch the exploits.



Also hacked in this year's competition was Microsoft's Internet Explorer 8 browser. Peter Vreugdenhill, an independent security researcher from the Netherlands, took home a $10,000 prize by taking advantage of two vulnerabilities for a four-part hack that compromised the user's system.



Another person who went solely by Nils, the head of research MWR InfoSecurity in the U.K., discovered an exploit in Firefox in the 64-bit version of Windows 7. He took home a $10,000 prize.
«134567

Comments

  • Reply 1 of 134
    quadra 610quadra 610 Posts: 6,757member
    It happens every year. it doesn't mean any more than it did the first time.



    What counts is what's actually in the wild.



    Hackers in these contests pick Apple products to attack first in order to maximize publicity. The fact that hacking a Mac is so popular at these events, combined with the fact that zero self-propagating viruses have ever successfully attacked OS X users in the wild in over 9 years speaks volumes.
  • Reply 2 of 134
    reliasonreliason Posts: 135member
    Quote:
    Originally Posted by Quadra 610 View Post


    It happens every year. it doesn't mean any more than it did the first time.



    What counts is what's actually in the wild.



    Actually, I believe this is the first year the iPhone was pwnd.



    Every browser (except chrome, evidently) has been pwnd pretty much every year.



    Macs are more secure by a combination of superior security architecture (vs. MS) and smaller market share (less desirable target). Security by obscurity is not security tho'.



    And Macs are just as susceptible to social engineering attacks as other platforms. The nasty payloads just haven't targeted the Mac community yet.
  • Reply 3 of 134
    Problem is that this isn't really a true test of how easy it is to hack a Mac. I mean it took them two weeks prior to develop the exploits. NONE of the Mac hacks were done on the spot and some of the hacks won't work anyway because the latest patches fixed that.



    No, what would be a true test would be if no one was allowed to bring anything, were not allowed to access a machine for a month prior to the contest, and then perform hacks onsite only. That would be a true test.
  • Reply 4 of 134
    anonymouseanonymouse Posts: 6,950member
    Quote:
    Originally Posted by Quadra 610 View Post


    Hackers in these contests pick Apple products to attack first in order to maximize publicity.



    I thought they picked Apple products because, if you hack it, you get the hardware.
  • Reply 5 of 134
    quadra 610quadra 610 Posts: 6,757member
    Quote:
    Originally Posted by anonymouse View Post


    I thought they picked Apple products because, if you hack it, you get the hardware.



    That's also a plus.



    Anyway, if a hacker has physical access to the machine, all bets are off.
  • Reply 6 of 134
    evo9evo9 Posts: 8member
    What about Chrome, or have they given up trying on that one already... ?
  • Reply 7 of 134
    So where's the 20 zero-day holes he was talking about like a week and a half ago ?!
  • Reply 8 of 134
    mstonemstone Posts: 11,510member
    The hackers don't really pick the Mac. The contest is fair. They draw positions. The organizers decide which devices go in what order. They don't just pick macs either. Firefox on Win 7, Explorer on Win 7, and Chrome on win 7 are also in the contest.
  • Reply 9 of 134
    mstonemstone Posts: 11,510member
    Quote:
    Originally Posted by evo9 View Post


    What about Chrome, or have they given up trying on that one already... ?



    Chrome is next up. Hasn't been hacked because it is on today's agenda. The other were yesterday.
  • Reply 10 of 134
    freddychfreddych Posts: 266member
    Quote:
    Originally Posted by mstone View Post


    The hackers don't really pick the Mac. The contest is fair. They draw positions. The organizers decide which devices go in what order. They don't just pick macs either. Firefox on Win 7, Explorer on Win 7, and Chrome on win 7 are also in the contest.



    Well obviously then the organizers had it in for Apple. They chose Apple products to go first and be hacked by the best hackers. They probably even had keyloggers pre-installed.
  • Reply 11 of 134
    geekdadgeekdad Posts: 1,131member
    Quote:
    Originally Posted by Quadra 610 View Post


    It happens every year. it doesn't mean any more than it did the first time.



    What counts is what's actually in the wild.



    Hackers in these contests pick Apple products to attack first in order to maximize publicity. The fact that hacking a Mac is so popular at these events, combined with the fact that zero self-propagating viruses have ever successfully attacked OS X users in the wild in over 9 years speaks volumes.



    That is not entirely correct... the hack them becuse they are low hanguing fruit. The Mac as been the first computer hacked 3 years in row so far. But this was the firstime the iPhone was compromised. This will happen more an more as Apple gains market share. This is the #1 reason Macs are slow to dent the business world.....
  • Reply 12 of 134
    gigawiregigawire Posts: 196member
    Quote:
    Originally Posted by lowededwookie View Post


    Problem is that this isn't really a true test of how easy it is to hack a Mac. I mean it took them two weeks prior to develop the exploits. NONE of the Mac hacks were done on the spot and some of the hacks won't work anyway because the latest patches fixed that.



    No, what would be a true test would be if no one was allowed to bring anything, were not allowed to access a machine for a month prior to the contest, and then perform hacks onsite only. That would be a true test.



    A true test of what exactly? The point of this is that it can be hacked; not how long it takes. The event is called pwn2own, not pwnfast2own.



    Keep the blinders on, it's safe under there.
  • Reply 13 of 134
    mstonemstone Posts: 11,510member
    Quote:
    Originally Posted by freddych View Post


    Well obviously then the organizers had it in for Apple. They chose Apple products to go first and be hacked by the best hackers. They probably even had keyloggers pre-installed.





    Did you even read the article or do any independent googling? A totally patched Safari visited a malicious web page.
  • Reply 14 of 134
    They have hacking contests? Why is this legal???
  • Reply 15 of 134
    freddychfreddych Posts: 266member
    Quote:
    Originally Posted by mstone View Post


    Did you even read the article or do any independent googling? A totally patched Safari visited a malicious web page.



    Obviously they are making this up.
  • Reply 16 of 134
    quadra 610quadra 610 Posts: 6,757member
    I believe Miller was given Administrator access to the system as well . . .
  • Reply 17 of 134
    solipsismsolipsism Posts: 25,726member
    This is one of those things in life that are both relevant and pointless at the same time. It's great to see attention put toward making our computers safer by way of competition, but the exploits seem mostly to be important to a very select few people



    Spending two weeks to write code that could extract my SMS history is noteworthy, and could be pushed to a lot of hacked sites but without getting root access very few are going to care. I am curious how any webcode can call other services on the iPhone and hope Apple does a better job sandboxing the iPhone's browser, but I won't lose sleep over it if they don't.





    Quote:
    Originally Posted by mstone View Post


    Chrome is next up. Hasn't been hacked because it is on today's agenda. The other were yesterday.



    Have the other handsets gone yet?
  • Reply 18 of 134
    mstonemstone Posts: 11,510member
    Quote:
    Originally Posted by Quadra 610 View Post


    I believe Miller was given Administrator access to the system as well . . .



    There is no point in organizing the public event at a high profile computer security conference if it is not going to be fair and audited by independent experts. That would just be silly.
  • Reply 19 of 134
    Quote:
    Originally Posted by reliason View Post


    Macs are more secure by a combination of superior security architecture (vs. MS) ...



    That's not true anymore since Vista. It's even the other way around since the "Secure Development Lifecycle" initiative. But IE was created before this started so that's why IE should be "cleaned" from the ground up.
  • Reply 20 of 134
    mstonemstone Posts: 11,510member
    Quote:
    Originally Posted by solipsism View Post


    Have the other handsets gone yet?



    not yet. You can follow it here



    http://twitter.com/thezdi



    Also here



    http://dvlabs.tippingpoint.com/blog/...5/pwn2own-2010
Sign In or Register to comment.