iPhone hacked via Safari, SMS database stolen

The Pwn2Own hacking contest is well under way today and the iPhone has fallen victim to a previously undisclosed Safari flaw.

Security researchers Vincenzo Iozzo and Ralf Philipp Weinmann demonstrated hacking into an iPhone by luring a fully patched iPhone to a specifically crafted website. According to the ZDNet 0-day security blog, the exploit allowed the researchers to steal the entire SMS database, including text messages that had already been deleted.

The researchers built the exploit in just two weeks. They claim the exploit could also reveal the phone contact list, photos and iTunes files. Little details are known about the exploit but the flaw was demonstrated on a fully patched iPhone 3GS running firmware 3.1.3. The pair won a $15,000 cash prize and got to keep the hijacked iPhone. Full details of the exploit will remain undisclosed until the issue is reported to Apple and a patch is released.

At last years Pwn2own, Microsoft flaunted a very speedy response time to a bug, as well as Google's Chrome being the only browser to survive the first day. Four new major flaws were discovered in the three main browsers tested; IE, Firefox and Safari. Following up from Chrome's first day of attack, the browser never suffered any major vulnerabilities. In other news, Charlie Miller - a well known hacker, is expected to demonstrate a new security flaw, today at Pwn2own, on an Apple Macbook Pro running Mac OSX.

Image Credit: Flickr

Report a problem with article
Previous Story

Robot touchscreen analysis reveals differences between smartphones

Next Story

Safari, Firefox, and IE8 hacked; Chrome left untested

57 Comments

Commenting is disabled on this article.

I'd say computers aren't invented to be used by idiots, although the vast majority of users are idiots.
If you want a computer with internet connection, take 10 minutes reading reviews about security products, instead of facebook and then you don't have to reinstall your system every week.
You can install Avira or Security Essentials in 1 minute, leave the windows firewall and windows updates on, and you are ready-to-surf. You don't have to install a bunch of software, just one.

Oh, and Windows FTW.

If you think you are not idiot like what you call the others, only because you read couple pages review about security in some "consumer" magazine, maybe you need to reconsider what you said.

kInG aLeXo said,
If you think you are not idiot like what you call the others, only because you read couple pages review about security in some "consumer" magazine, maybe you need to reconsider what you said.

That would explain the fact that I haven't been infected in years.

Consumer magazines are good for a reason. I mean I was using Norton Antivirus for a week or so.

This is NOT POSSIBLE.
According to Apple Mac products are unshackle and cannot get any viruses. loooooooooooool

Blue602 said,

Nowhere does Apple make such a claim.

http://www.apple.com/macosx/security/


I am referring to their "I am a PC and I am a MAC" TV ads. Have a look at youtube and you will find them.

Plus because of those ads they were forced to issue a press statement stating MACs just like any other computer is.

PS. My original post was nothing more or less than sarcastic.

Do not SMS (text) your life away...
Meet some people for a change, talk to them face to face....it is called being social...(same applies to mindless (very loud) phone conversations on public transport)

Dr. Albert Spamstein said,
And yet people still try to tell me Mac is immune from viruses and exploits..... funny.....

Do they actually do this? I don't pay a lot of attention to ads so I may have missed it, but I only noticed them talking up the amount of existing malware on the two platforms, not differences in core OS behavior that make one more secure than the other.

It's kind of like saying car x is stolen y times per capita every year while car z is only stolen y/8 times. You aren't claiming any car has a better security system than the other, you are just saying that for undisclosed reasons you're far more likely to have your car stolen if you choose car x.

Why are my DELETED SMS messages not actually deleted.
Ugh... gone are the days when you could erase something and it would be gone.

billyea said,
Why are my DELETED SMS messages not actually deleted.
Ugh... gone are the days when you could erase something and it would be gone.
By design!! The developers could easily over-write the data cryptographically when you do a delete but that would have cost too much money.

dyreryft said,
what evidence do you have that mac is the safest OS?

The only evidence that exists is "Steve Jobs said so".

Thanks for the link though it's an interesting read I'm surprised there han't been a bigger (faster?) push to "sandboxing" actually...

dyreryft said,
what evidence do you have that mac is the safest OS?
from the mouth of the mac hacker himself, Charlie Miller. Winner of 2008 and 2009 pwn2own mac exploits.

http://blogs.zdnet.com/security/?p=2941
check - Why Safari? Why didn’t you go after IE


Interesting article. I laughed when I read the part about why he targets OSX and how the Mac doesn't do any of the "things" that Windows does to protect itself. Now if only MS would make that into a "I'm a Mac - I'm a PC" punch in the gut to Steve Jobs.

well, I'm not a mac owner. But even I can admit that the mac really is the safest OS. Vulnerabilities don't matter if know one exploits the exploits.

speedstr3789 said,
well, I'm not a mac owner. But even I can admit that the mac really is the safest OS. Vulnerabilities don't matter if know one exploits the exploits.

Here, take this bucket, there's a hole in the bottom. But it's the best bucket around if you don't put water in it.

Regardz

Benjo85au said,

Here, take this bucket, there's a hole in the bottom. But it's the best bucket around if you don't put water in it.

Regardz

I see what you did there

Benjo85au said,

Here, take this bucket, there's a hole in the bottom. But it's the best bucket around if you don't put water in it.

Regardz


more like: heres a bucket that carrys water fine, but the screws on the handle are loose, so if someone knocks it too hard, your gonna get wet
of course everybody else is concentrating on knocking that hot girl over there's bucket over, but then she is wearing a tight white t-shirt!!!

Love the lab experiment comment...well, not really....

Make excuses all you want about the iPhone getting hacked by one of Apples software products...and on their own hardware. People say is the safest and most secure, only because they are not being target at large. Wait...they will....remember when PCs didnt always need to have all the protection as they do now.

Every year during this contest Apple gets their asses handed to them while MS always comes our ahead of them. Its funny actually...

2001

techbeck said,
only because they are not being target at large. Wait...they will....

2002

techbeck said,
only because they are not being target at large. Wait...they will....

2003

techbeck said,
only because they are not being target at large. Wait...they will....

2004

techbeck said,
only because they are not being target at large. Wait...they will....

2005

techbeck said,
only because they are not being target at large. Wait...they will....

2006

techbeck said,
only because they are not being target at large. Wait...they will....

2007

techbeck said,
only because they are not being target at large. Wait...they will....

2008

techbeck said,
only because they are not being target at large. Wait...they will....

2009

techbeck said,
only because they are not being target at large. Wait...they will....

2010

techbeck said,
only because they are not being target at large. Wait...they will....

Still waiting.

Blue602 said,
Still waiting.

Well, yeah, you prove a good point: after all these years Apple desktops still don't have signifcant market share and aren't worth the time for hackers.

Edited by PeterTHX, Mar 25 2010, 12:52am :

Blue602 said,
2001
Still waiting.

If you buy a couple of more macs to increase the market share, your waiting can be over

Blue602 said,
Still waiting.

You may be waiting, but multi-thousand Mac botnets (existing for some years) aren't.

And about correlation between market share and hack incidents: (read carefully and try to comprehend)
If you approach 1000 people and ask them would they prefer to get $10 or $90 it's WRONG to assume that 10% of people will chose $10.

Blue602 said,
2001
Still waiting.

Wow, never thought such a long post could have no meaning/thought at all...

Yea, you are still waiting and the reason MS didnt have to wait as long is because Apple was a bitch of a company back in the day and couldnt really compete with a dish washer. There for MS took the world by storm while Apple was sitting on their asses sucking on their thumbs. Same reason why the Zune cannot make a big impression on the MP3 market over the iPhone.

Also, you just proved what I have been saying all along about Apple and Mac uses. Apple is luring people in to a false sense of security and Apple drones are eating it up.

Blue602 said,
2001
[...]
Still waiting.

I think we have copypasta of the month award here...

Edited by lexa000, Mar 26 2010, 2:33am :

put it in the wild ( as in use on a noticeable scale ) and ill actually care about what they do @ the Pwn2Own

because if its not in the wild, the vendors wont care, and will take their time in fixing it

Most of the hackers are only interested into a platform that is worth hacking their time! They won't even bother to hack an os a handful of people are using; to that end iPhone is the best target at the moment apart from Symbian, BlackBerry. WinMo and Palm are in a low level league at the moment.

At least this kinda contests makes companies more aware and active to fix those things and people more aware of things.