News Vulnerability Management
Researchers Demonstrate Flaws In iPhone 4, 5 In Hacking Contest
Vulnerability in Apple's Webkit could affect both of company's new phones, researchers say
A pair of researchers won $30,000 in the mobile Pwn2Own contest last week in Amsterdam by proving security vulnerabilities affecting Apple's newest iPhones.
According to news reports, two researchers at Dutch security company Certified Secure found a flaw in WebKit, the driver behind Apple's iOS browsers, which could be used to crack both of the company's newest phones, the iPhone 4S and the iPhone 5.
More Security Insights
- Transitioning to Multicore Development
- Digital Transformation: Creating new business models where digital meets physical
- Best Practices: 6 Security Services Every Small Business Must Have
- Best Practices: Using Apple's Global Proxy to Boost Mobile Security
- How Attackers Identify and Exploit Software and Network Vulnerabilities
- Getting a Grip on Mobile Malware
Certified Secure CEO Joost Pol and researcher Daan Keuper reportedly told interviewers that the finished exploit can be deployed in minutes, but took about three weeks of dedicated work to develop.The vulnerability is not yet patched in iOS 6, they say.
The zero-day vulnerability allowed Pol and Keuper to corrupt the memory of the browser and inject new instructions, forcing it to surf to a malicious website. The hack bypassed the code signing normally required, enabling the researchers to access photos, videos, contacts, and browsing history. The exploit did not crack email or SMS, which were sealed off from the memory corruption and encrypted.
The researchers said they have purged their machines of the code. "If [the attack they developed was seen] in the wild, [hackers] could embed the exploit into an ad on a big advertising network and cause some major damage," Pol reportedly said.
Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.