iPhone Cracked at Pwn2Own, Cited as “Highest-Risk” Smartphone for the Workplace
Over in this week’s “Pwn2Own” hacking contest in Vancouver, British Columbia, Canada, virtually every major browser and operating system had vulnerabilities exploited. According to CNET, researcher Charlie Miller, the principal security analyst with Independent Security Evaluators, took home the $10,000 prize after he hacked Safari on a MacBook Pro without having access to the machine. Miller also cracked Safari in Mac OS X last year, taking home the $5,000 prize in addition to hacking a MacBook Air in 2008 at the competition.
This year, Ralf-Phillip Weinmann, from the University of Luxembourg, and Vincenzo Iozzo, from German company gained access to an iPhone that was not “jailbroken,” a procedure that allows users to run unauthorized code and unlock the handset for use on unapproved carriers.
Weinmann was able to achieve this by making a user visit a malicious Web site. From there, the available exploit allowed the researchers to access the phone’s entire database of text messages, including deleted ones. The two wrote the hack in about two weeks, and the data was received in the competition in under 20 seconds.
Miller and Weinmann said the hack could be modified to allow access to more data, such as contacts and photos. The transfer takes place without the victim ever knowing they have been hacked.
Also hacked in this year’s competition was Microsoft’s Internet Explorer 8 browser. Peter Vreugdenhill, an independent security researcher from the Netherlands, took home a $10,000 prize by taking advantage of two vulnerabilities for a four-part hack that compromised the user’s system.
Another person who went solely by Nils, the head of research MWR InfoSecurity in the U.K., discovered an exploit in Firefox in the 64-bit version of Windows 7. He took home a $10,000 prize.
Dovetailing with the assorted Pwn2Own hacks, a study of security professionals released on Thursday declared that the iPhone is the highest-risk smartphone to carry into the workplace. The study cited that 57% of respondents declared the iPhone to post the worst mobile device threat, followed in a distant second by Android at 39% . Only 28% said the BlackBerry line is the problem, while Nokia’s Symbian-based phones accounted for just 13 percent of smartphone security fears.
Among the respondents, the stigma against the iPhone came mostly from its continued lack of interest in enterprise-class security. Although Apple has made gestures towards this with the addition of hardware encryption to the iPhone 3GS and multiple administration features like remote wipe, Apple hasn’t actively maintained any of these efforts, nCircle’s Security Operations Director Andrew Storms said.
“The general consensus is that Apple continues to do only the absolute minimum to address enterprise security and supportability requirements,” he said. “[Hardware encryption] was almost immediately subverted. This is not the kind of behavior security professionals want to see in vendors.”
The statements come despite Android lacking hardware encryption and having features that lend themselves more to security risks. As apps don’t always need to be signed and can expose features such as the file system, Android devices can theoretically have all their data compromised in software and be used to carry off data of their own. BlackBerries have usually been some of the most secure as they have more sophisticated hardware encryption than the iPhone as well as tight control over access and more mature enterprise-level management.