Hackers used an exploit against a previously unknown vulnerability to hijack Apple’s iPhone 3GS

Mar 25, 2010 10:38 GMT  ·  By

Another year has passed, and the TippingPoint Zero Day Initiative (ZDI) kicked off the annual Pwn2Own contest again this year, at the CanSecWest security conference held in Vancouver, BC, on March 24th, 2010. One of the platforms targeted in the first day of the hacking competition was, of course, the iPhone 3GS. Apple’s smartphone was reportedly brought to its knees after two hacking gurus lured it to a rigged Web site and exfiltrated the SMS database.

The process of compromising the SMS database reportedly took about 20 seconds, ZDnet’s bloggers reveal. The people at TippingPoint say that, “The increased presence and capabilities of smart phones has brought with it the same security issues and attention traditionally reserved for non hand-held platforms. Vulnerabilities in parsing media, dynamic web content, e-mail, and other client-side issues have been published in the past.”

Vincenzo Iozzo and Ralf Philipp Weinmann were the two hackers that used an exploit against a previously unknown vulnerability to compromise the iPhone 3GS at CanSecWest. Even though the exploit crashed the iPhone’s browser session, Weinmann said that he could have a completely successful attack with the browser running, with some additional effort. Weinmann is 32 and goes to the University of Luxembourg. He collaborated with Iozzo, a 22-year-old Italian researcher from Zynamics, on the entire process, ZDnet further reveals. They took about two weeks to find a hole and write an exploit.

“Basically, every page that the user visits on our [rigged] site will grab the SMS database and upload it to a server we control,” Weinmann explains. He adds that the winning Pwn2Own exploit could have exfiltrated the phone’s contact list, email database, photographs and iTunes music files, in addition to hijacking the SMS database. Iozzo reportedly had flight problems and couldn’t arrive in time in Vancouver.

According to the same ZDnet report, a security researcher at TippingPoint Zero Day Initiative (the company sponsoring Pwn2Own) going by the name of Aaron Portnoy describes the attack as “very impressive.” He adds, “It was a real world exploit against a popular device. They exfiltrated the entire SMS database in about 20 seconds. It was as if a Web page was loading.”

At CanSecWest, winners generally receive prize money for their smart hacks, while some even get to keep the device they were able to hack. This time was no different, with Weinmann and Iozzo winning a $15,000 cash prize, and keeping the hijacked iPhone.