Two European researchers attending the CanSecWest conference needed just 20 seconds to successfully extract the entire SMS database of a non-jailbroken iPhone to a web server.
Vincenze Iozzo and Ralf Weinmann, who were participating in the conferences’ Pwn2Own contest, created a malicious website capable of pulling an unsuspecting iPhone users SMS database when visited.
Inside the extracted file, the hackers were able to obtain a full list of iPhone contacts, copies of all messages sent and received and more interestingly; all of a users deleted messages which had not been erased manually.
The duo walked away with a tidy US$15,000, a new iPhone and a trip to Las Vegas as a result of their exploit but how was this impressive feat achieved?
The release of the iPhone 2.0 firmware made it more difficult for attackers to tamper with the iPhone kernel, introducing a sandbox that restricted actions on a compromised device. To execute code, a cryptographic code-signing mechanism would need a valid digital signature, reducing the ability to insert malicious payloads.
What technique employed by Weinmann and Iozzo to insert their exploit was known as return-oriented programming, incorporating pieces of valid and signed code, rearranging them to form a malicious payload.
The iPhone’s code signing mechanism requires code loaded into memory to carry a valid digital signature before it can be executed. To get around it, the researchers used a technique known as return-oriented programming, which takes pieces of valid code and rearranges them to form the malicious payload.
The iPhone vulnerability will be submitted to Apple by TippingPoint ZDI who acquired the rights to the iPhone flaw.
[Source: PC World]
[Photo Credit: BoyGeniusReport]