With every CanSecWest comes new proof that our Macs and iPhones are nowhere near as secure as we optimistically believed, but the latest hack to come out of the famed security conference’s Pwn2Own hacking contest should be enough to alarm everyone: a pair of European researchers have shown how just visiting a website can compromise a fully patched iPhone and hijack the entire SMS database.
The two researchers — Vincenzo Iozzo and Ralph Philipp Weinmann — lured a target iPhone to a malicious website and stole the iPhone’s entire SMS database (including deleted text messages) in just twenty seconds.
“Basically, every page that the user visits on our [rigged] site will grab the SMS database and upload it to a server we control,” Weinmann said.
It’s quite the security flaw, and according to the responsible hackers, it’s all done within the iPhone sandbox, taking advantage of the device’s non-root user, ‘mobile.’ “With this exploit, I can do anything that ‘mobile’ can do,” Weinmann said.
And what can ‘mobile’ do, exactly? Quite a bit, as it turns out. The same technique can be used to make off with a user’s phone contact list, the entire email database, stored photographs or even iTunes files.
“Apple has pretty good counter-measures but they are clearly not enough. The way they implement code-signing is too lenient,” said assisting security expert Halvar Flake.
Don’t worry about seeing this in the wild immediately: operating under CanSecWest’s usual ethical constraints, Iozzo and Weinmann will not publicize how, exactly, they carried off the hack until Apple has patched it… and for their troubles, made off with a $15,000 check, and the compromised iPhone they pwned.
