The annual CanSecWest PWN2OWN hacking contest has done it again and provided us news types with the perfect headline writing opportunity as the Apple iPhone falls to the hackers in just 20 seconds. The hackers in question, Vincenzo Iozzo and Ralf Weinmann, picked up the prize of $15,000 and an iPhone for being the first to launch a successful attack on the smartphone in Vancouver.
Of course, if you look behind the headlines (including mine) then you will discover that actually it took a little longer than 20 seconds to run that previously unknown hack attack using the Safari browser on the iPhone which allowed the SMS messages on the device, including those which had been previously deleted, to be sent to a remote server.
How much longer? How does a couple of weeks of preparation sound? Well 'The 1,209,600 second iPhone hack' has a certain ring to it I guess but probably not quite the same wow factor as 20 seconds. This will, no doubt, be picked up upon by both fans of the iPhone who will say that the hack is therefore somehow invalid and fans of other devices who will say it makes no difference and the iPhone is insecure.
The truth, as always in such heated debates, actually sits somewhere between the two. Yes, for this SMS database hacking attack to work you need a user to be stupid at a website beforehand but that's par for the insecurity cause. The worrying thing, I would say, is that the hackers demonstrated it was relatively easy to bypass Apple code-signing routines and exploit non-root user privileges in the first place. Especially as we are not talking about previously Jailbroken devices here as the PWN2OWN contest rules insist that only unmodified iPhones can be used.
Apple has not, as of the time of writing, commented upon the hack.
