Researchers Demonstrate Flaws In iPhone 4, 5 In Hacking Contest

A pair of researchers won $30,000 in the mobile Pwn2Own contest last week in Amsterdam by proving security vulnerabilities affecting Apple's newest iPhones.

According to news reports, two researchers at Dutch security company Certified Secure found a flaw in WebKit, the driver behind Apple's iOS browsers, which could be used to crack both of the company's newest phones, the iPhone 4S and the iPhone 5.

Certified Secure CEO Joost Pol and researcher Daan Keuper reportedly told interviewers that the finished exploit can be deployed in minutes, but took about three weeks of dedicated work to develop.The vulnerability is not yet patched in iOS 6, they say.

The zero-day vulnerability allowed Pol and Keuper to corrupt the memory of the browser and inject new instructions, forcing it to surf to a malicious website. The hack bypassed the code signing normally required, enabling the researchers to access photos, videos, contacts, and browsing history. The exploit did not crack email or SMS, which were sealed off from the memory corruption and encrypted.

The researchers said they have purged their machines of the code. "If [the attack they developed was seen] in the wild, [hackers] could embed the exploit into an ad on a big advertising network and cause some major damage," Pol reportedly said.

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.