The iPhone hack was undertaken by two Dutch researchers working in their own time in just three weeks. “We really wanted to see how much time it would take a motivated attacker to do a clean attack against your iPhone,” Joost Pol, CEO of Certified Secure, told ZDNet – although the successful hack also won a $30,000 cash prize. The speed and relative ease might surprise those who still believe in Apple’s security invincibility. It involved finding a basic vulnerability in WebKit (through code auditing techniques), and then chaining different things together to get the exploit.
The result can be used on a special or compromised website to exploit the iPhone through simple drive-by downloading. A successfully delivered attack gets access to the entire address book, photo/video database and browsing history – but not emails or SMS. Particularly worrying, perhaps is that Pol added, “We specifically chose this one because it was present in iOS 6 which means the new iPhone... will be vulnerable to this attack.”
Pol and his partner Daan Keuper believe that Android’s security is good, but not as good as the iPhone. It should be no surprise then that Samsung’s Galaxy 3S running Android 4.0.4 was also hacked – this time by a team from MWR Infosecurity (using a team of two in the UK and two in South Africa, who also won a $30,000 prize). This hack was delivered by a weakness in Samsung’s implementation of near field communications (NFC). A malicious file was delivered and then opened by the Android document viewer.
Two 0-day exploits were subsequently used to combine a code execution attack with privilege escalation. “We used the second vulnerability to escalate our privileges on the device and undermine the application sandbox model,” explains MWR in a company blog. “We used this to install a customised version of Mercury, our Android assessment framework. We could then use Mercury’s capabilities to exfiltrate user data from the device to a remote listener, including dumping SMS and contact databases, or initiating a call to a premium rate number.” In short, the device is totally pwned.
And, like the iPhone hack, this can also be used in drive-by downloading. “The same vulnerability could also be exploited through other attack vectors, such as malicious websites or e-mail attachments,” states MWR.
The Pwn2Own competitions at EUSecWest and CanSecWest demonstrate just one thing – nothing is inherently secure. Users must take care whatever device, browser or other application they choose to use.