Pwn2Own 2010 winners really did pwn

iphoenThe Pwn2Own Contest in Vancouver was recently concluded and two European researchers, Vicenzo Iozzo and Ralf Philipp Weinmann, were crowned as the winners. So what exactly did they do that pwns? Well, it’s something that’ll make you think twice before surfing with your iPhone.

 

 

 

pwnedThe Pwn2Own Contest in Vancouver was recently concluded and two European researchers, Vicenzo Iozzo and Ralf Philipp Weinmann, were crowned as the winners. So what exactly did they do that pwns? Well, it’s something that’ll make you think twice before surfing with your iPhone.

 

Armed with a code previously unknown, the two lured a target iPhone into their cleverly rigged site and managed to hijack its SMS database. In just 20 seconds.

 

That means that if you wander cluelessly into their sticky web, they basically grab your inbox, saved messages, sent items, and even the ones you’ve deleted. “Basically, every page that the user visits on our [rigged] site will grab the SMS database and upload it to a server we control,” explained Weinmann, who received the award. Iozzo couldn’t get a flight to the event.

 

“Apple has pretty good counter-measures but they are clearly not enough. The way they implement code-signing is too lenient,” said Halvar Flake, a reputable security researcher who assisted the winners.

 

Aaron Portnoy, security researcher at TippingPoint ZDI (the Pwn2Own sponsors), described the work to be “very impressive”. “It was a real world exploit against a popular device. They exfiltrated the entire SMS database in about 20 seconds. It was as if a web page was loading,” he added.

 

More interestingly, the winning exploit is not limited to the SMS database. It could also be directed to exfiltrate the contact list, email database, the photos, and even the iTunes list.

 

So now, all information regarding and pertaining to the exploit will go straight to Apple and Apple alone. For obvious reasons, no info will be released until after they’ve released a patch.

 

The winners, Weinmann and Iozzo, got US$ 15,000 prize money, they get to keep their victimized iPhone, while the rest of the world is stuck with the paranoia that anybody can see their private pictures and that Lady Gaga is Most Played on their iTunes.

 

 

 

 

 

[via ZDnet]

 

 

 

 

 

 

 

Add a Comment

Your email address will not be published. Required fields are marked *