Dutch security researchers were able to breach Apple’s mobile OS at a Pwn2Own competition during the EUSecWest security conference in Amsterdam, which opened its doors yesterday. The exploit used a zero-day vulnerability in iOS 5.1.1 and the Golden master of iOS 6 to sidestep Apple’s code signing requirements as well as Safari’s sandbox, enabling an attacker to steal a device’s pictures, videos, address contacts and browsing history.
The exploit was successfully tested on the iPhone 4S, iPhone 4, iPad and iPod touch. But it isn’t necessarily limited to these devices. “We specifically chose this one because it was present in iOS 6 which means the new iPhone coming out will be vulnerable to this attack,” Joost Pol, CEO of Certified Secure said.
While Pol wouldn’t reveal exactly how the exploit worked, he did say that Safari’s security mechanisms were circumvented simply by visiting a website. “We could embed the code in advertisements on news sites for example,” he said, adding that the code could be placed anywhere on a website and it would still work.
It took Pol and his colleague Daan Keuper about three weeks to develop the webkit browser exploit in their spare time. Among other prizes, they won $30,000 for demonstrating the working exploit as part of the competition. Pol still thinks the iPhone is the most secure smartphone available, but warned that Apple will have to come up with an update to patch this hole and users need to upgrade as fast as possible.
Security researchers also demonstrated two previously undiscovered zero-day exploits in Android 4.0.4 running on Samsung’s Galaxy S3 smartphone as part of the competition. “Through NFC it was possible to upload a malicious file to the device, which allowed us to gain code execution on the device and subsequently get full control over the device using a second vulnerability for privilege escalation,” MWR Labs said.
They used two vulnerabilities, the first of which caused memory corruption in order to gain limited control of the smartphone. From there they used a second to escalate privileges on the handset and breach the application sandbox. That allowed them to install Mercury, their Android assessment framework, and then extract user data from the device, such as SMS and contact information as well as make calls from the phone.