So another shocker from the Pwn2Own 2010 hacking contest that’s on going at the moment: hackers Vincenzo Iozzo and Ralf Philipp Weinmann were able to come up with a trick that allowed them to break into fully-patched iPhones’ SMS databases, even the messages that were deleted, simply by tricking the owner to visit a “rigged” web site.
Aside from hijacking entire SMS databases in about 20 seconds, the exploit could potentially also be used to “exfiltrated the phone contact list, photographs and iTunes music files.” All that by simply having a user visit a specific website and without ever needing to leave the iPhone sandbox. Sounds really scary, doesn’t it?
“This exploit doesn’t get out of the iPhone sandbox,” Flake explained, noting that an attacker can do enough damage without escaping from the sandbox. “Apple has pretty good counter-measures but they are clearly not enough. The way they implement code-signing is too lenient,” Flake added.
Aaron Portnoy, a security researcher at TippingPoint Zero Day Initiative (the company sponsoring Pwn2Own), described the attack as “very impressive.”
“It was a real world exploit against a popular device. They exfiltrated the entire SMS database in about 20 seconds. It was as if a Web page was loading.”
TippingPoint ZDI acquired the exclusive rights to the flaw information. The company will report the issue to Apple and will withhold details until a patch is released.
Full Story:
http://thetechjournal.com/electronics/computer/security-computer-electronics/hackers-can-break-into-your-iphones-sms-database-in-20-seconds.xhtmlPalm Pre and the WebOS FTW
