0

The annual CanSecWest PWN2OWN hacking contest has done it again and provided us news types with the perfect headline writing opportunity as the Apple iPhone falls to the hackers in just 20 seconds. The hackers in question, Vincenzo Iozzo and Ralf Weinmann, picked up the prize of $15,000 and an iPhone for being the first to launch a successful attack on the smartphone in Vancouver.

Of course, if you look behind the headlines (including mine) then you will discover that actually it took a little longer than 20 seconds to run that previously unknown hack attack using the Safari browser on the iPhone which allowed the SMS messages on the device, including those which had been previously deleted, to be sent to a remote server.

How much longer? How does a couple of weeks of preparation sound? Well 'The 1,209,600 second iPhone hack' has a certain ring to it I guess but probably not quite the same wow factor as 20 seconds. This will, no doubt, be picked up upon by both fans of the iPhone who will say that the hack is therefore somehow invalid and fans of other devices who will say it makes no difference and the iPhone is insecure.

The truth, as always in such heated debates, actually sits somewhere between the two. Yes, for this SMS database hacking attack to work you need a user to be stupid at a website beforehand but that's par for the insecurity cause. The worrying thing, I would say, is that the hackers demonstrated it was relatively easy to bypass Apple code-signing routines and exploit non-root user privileges in the first place. Especially as we are not talking about previously Jailbroken devices here as the PWN2OWN contest rules insist that only unmodified iPhones can be used.

Apple has not, as of the time of writing, commented upon the hack.

As Editorial Director and Managing Analyst with IT Security Thing I am putting more than two decades of consulting experience into providing opinionated insight regarding the security threat landscape for IT security professionals. As an Editorial Fellow with Dennis Publishing, I bring more than two decades of writing experience across the technology industry into publications such as Alphr, IT Pro and (in good old fashioned print) PC Pro. I also write for SC Magazine UK and Infosecurity, as well as The Times and Sunday Times newspapers. Along the way I have been honoured with a Technology Journalist of the Year award, and three Information Security Journalist of the Year awards. Most humbling, though, was the Enigma Award for 'lifetime contribution to IT security journalism' bestowed on me in 2011.

4
Contributors
5
Replies
6
Views
7 Years
Discussion Span
Last Post by happygeek
0

My first go around on reading this and I was going to say what BS, thankfully I re-read it in a clearer light. Yeah they had weeks to develop the hack, heck they likely spent months, but that's what hackers do.

The fact is they are only showing you the quickest easiest exploits they know, this doesn't mean that is all they know. In fact these guys get paid "x" times more money than they can actually win at Pwn@Own for showing companies some of the real hard core exploits they now.

The way Pwn@ Own was originally setup the goal was to hack your target machine as quickly and effectively as possible. Now with individual pairings they could've taken their time, but why when they could show the world just how easy it is to do.

0

I'm actually not knocking PWN2OWN here, it has a place in the security world IMHO. Not least as it manages to focus attention on vulnerabilities, such as with the Firefox 3.6 remote exploit thing this week for example.

What I was trying to point out was that too many headlines will exclaim iPhone hacked in 20 seconds, and too many publications will proclaim that iPhone users are at risk of near instant data loss as a result when the truth is perhaps a little duller :)

0

Sorry - but you're still not pointing anything out. Your comparison of the time to run the exploit vs. the time to develop the exploit is meaningless. The iPhone took years to develop. Does that mean I need years to place a phone call?

We're all at risk of instant data loss, especially with an item that can be easily lifted from our pockets or bags. :)

0

so what's your point? care to tell us something new? did you really think they started working on a hack the day the contest started?

0

Funnily enough I didn't, but guess wha,t many people reading 'iphone hacked in 20 seconds' do.

Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.