iPhone, IE8, Firefox, and Safari easily hacked at Pwn2Own contest

Published 26 March 2010

Hackers gathered for an annual contest in Vancouver demonstrate easy hacking of iPhone and all major browsers; a non-jailbroken iPhone was also hacked and its SMS database stolen; security measures taken by Firefox, Safari, and IE8 no match for hackers

The annual Pwn2Own contest has seen the Apple iPhone and nearly all the major browsers hacked. At the contest, held at the CanSecWest show in Vancouver, interest has so far centered on the revelation of twenty zero-day flaws in Apple’s OS X by security researcher Charlie Miller. As attendants wait for his keynote address, the Pwn2Own content gave hackers and security experts a chance to demonstrate their ability and try to breach the security of various devices and software.

Reporting from the event, Mashable claimed that Firefox, Safari, and IE8 were hacked at the contest. A non-jailbroken iPhone was also hacked and its SMS database stolen by Vincenzo Iozzo and Ralf Philipp Weinmann, who were able to send an iPhone to a Web site they had set up, crashed its browser, and stole its SMS database — including some erased messages.

They won a $15,000 prize for successfully demonstrating the attack, and they said that details about the attack will be released once Apple is notified and the security hole is patched.

Dan Raywood writes that Miller managed to hack Safari on a MacBook Pro without physical access, which won him $10,000. This followed his success last year when he cracked the Mac platform in just ten seconds.

Nils (no last name given), head of research at U.K.-based MWR InfoSecurity, won $10,000 for hacking Firefox, and independent security researcher Peter Vreugdenhil won the same amount for hacking IE8. Additional details of the IE8 exploit are here.

Mashable reports that all the browser attacks were done by having the browser visit a malicious Web site; although full details were not disclosed.

Candid Wueest, a security expert at Symantec, said that the ease with which the iPhone was hacked highlights the growing issue of mobile security.

Although the loss or theft of the physical device is seen as the biggest problem around mobile security, there is also the problem resulting from the increasing volume of “stealable” business data which is held on them, made worse by the current poor encryption.

 

Mobile platforms have so far been down the “pecking order” of cyber criminals compared to desktops computers with just 400 different viruses in existence compared with four million in Windows. Although currently a drop in the ocean, the increased standardization of mobile platforms will make it more profitable and easier for malware writers to infiltrate mobile devices.