CanSecWest conference organised a contest - Pwn2Own, which saw many participants enrolled. Among the many, two European researchers stood out. They successfully hacked a non-jailbroken iPhone and extracted the entire SMS database - all in 20 seconds!
Vincenze Iozzo and Ralf Weinmann, the men behind the extraordinary feat, created a malicious website capable of pulling an unsuspecting iPhone users' SMS database when visited. The extracted file included a full list of contacts, photos, copies of all messages sent and received and....shockingly...even the deleted messages.
This feat earned them US$15,000, a new iPhone and a trip to Las Vegas. Wow!
But how did they do that?
The technique employed by Weinmann and Iozzo to insert their exploit was known as return-oriented programming, incorporating pieces of valid and signed code, and rearranging them to form a malicious payload.
TippingPoint ZDI acquired the rights to the iPhone flaw, which they will now submit to Apple so Apple can do a further study on it and prevent it from happening on their devices in the future.
But seriously, this only goes to show that the Apple logo doesn’t give you the freedom to get away with anything. Caution is strictly required!
Like our posts? Follow Firstain on Twitter and/or join our Facebook Group to stay up-to-date with us.
Like our authors? Follow them: Aman Milwani on Twitter and/or Karan on Twitter.
Subscribe to Firstain by Email
Share This Post!
