Cansecwest iPhoneVANCOUVER–For the fourth consecutive year, researcher Charlie Miller won one of the prizes at the annual Pwn2Own contest here. The difference this time is that Miller successfully exploited an iPhone 4 to win, rather than Safari, which he’s gone after the last three years. The BlackBerry Torch 9800 also was taken down, by a multinational team of researchers who were able to exploit the device’s browser by chaining three exploits together.

The team that went after the BlackBerry faced a series of major hurdles during the research process, the largest of which was the fact that there is no debugger available for the BlackBerry’s current browser. The browser, which is based on WebKit, has little documentation either, so the team of Willem Pinckaers, Vincenzo Iozzo and Ralf-Philipp  essentially were working in the dark, with no crash dump data and just tiny pieces of the memory map emerging as they went through the research process.

The researchers combined two information leak bugs and an integer overflow bug to exploit the BlackBerry browser and run their code on the phone. Iozzo and Pinckaers executed the attack at the contest; Weinmann was not present, but helped with the research. Iozzo, an independent security researcher, and Pinckaers, of Matasano Security, said that the process of finding the bugs and developing a working exploit for the BlackBerry was arduous.

“It was all trial and error. We didn’t have a debugger, so it crashes or it doesn’t crash or it takes a long time to respond. Those are the three options,” Pinckaers said. “We had to figure out the memory map from small little pieces.”

Miller, a researcher at Independent Security Evaluators, used a new exploit he’d developed with his colleague Dion Blazakis that enabled him to run arbitrary code on the iPhone after visiting a specific Web page on the device. After the exploit fired, he was able to perform whatever action he chose on the iPhone.

In each of the last three years Miller has won Pwn2Own at the CanSecWest conference by exploiting a new bug in Safari on Mac OS X. However, this year he never got the chance to try his luck against Apple’s browser because Chaouki Bekrar of French security company VUPEN went first and won the $15,000 prize and MacBook Pro.

In past years, the organizers of Pwn2Own have allowed more than one contestant to attack each target, even if someone has already successfully exploited it. Every successful attack after the first winner earned a smaller cash prize. However, this year’s rules are different and once a contestant takes down a given target, that one is off the table for everyone else.

Miller was the first contestant to go after the iPhone on Thursday. Other mobile devices also are on the slate for today, including the Nexus S handset running Android and a Windows Mobile handset. On the first day of the Pwn2Own contest, after Bekrar defeated Safari on OS X, Irish researcher Stephen Fewer was able to bypass both ASLR and DEP and exploit Internet Explorer 8 on a Windows 7 machine.

None of the contestants on Wednesday tried his luck against Google Chrome, which is generally regarded as more difficult to attack, thanks to its native sandbox. Mozilla Firefox was on the schedule for Thursday as well, but the team that had signed up to attack it withdrew this morning.

Iozzo said that in relation to the iPhone, which he and Weinmann exploited at Pwn2Own last year to win, the BlackBerry is lagging behind in security.
“The BlackBerr is way behind the iPhone at the moment, from a security perspective,” Iozzo said.

Categories: Vulnerabilities, Web Security

Comments (3)

  1. Charter Bus DC

    Here is Similar Story


    Competing hackers stole
    information from a BlackBerry Torch 9800 and Apple iPhone on Thursday,
    day two of the Pwn2Own 2011 hacker conference at the CanSecWest
    conference in Vancouver.

    According to ZDNet,
    a trio of security researchers from Europe, including past Pwn2Own
    winners Vincenzo Iozzo and Ralf-Philipp Weinmann, broke through RIM’s
    open-source Webkit browser to steal contacts and photos from the

    Meanwhile three-time Pwn2Own champion Charlie Miller teamed up with
    colleague Dion Blazakis, both from Baltimore-based Independent Security
    Evaluators, to hijack the iPhone by exploiting a vulnerability in the
    mobile Safari Web browser.

  2. Anonymous

    “The BlackBerry is way behind the iPhone at the moment, from a security perspective,”

    I’m not a big fan of the Blackberry’s, mostly because the company doesn’t provide meaningful information about security.  However, didn’t the iPhone get hacked last year AND this year?  Didn’t the BB researchers also say:

    “ozzo, an independent security researcher, and Pinckaers, of Matasano
    Security, said that the process of finding the bugs and developing a
    working exploit for the BlackBerry was arduous.”

    The BB exploit was the result of a webkit bug AFAICT, and Google is vulnerable. It sounds like Apple is probably also vulnerable.  Why aren’t BB being hacked more often if they are “way behind”?  BB still has a considerable chunk of the market afterall.


  3. Anon Gofer

    Iozzo’s comment on BB and conclusion do not match the outcome reported in the article.  Is there more research available to support the claim that BB security is lagging way behind iPhone???

Comments are closed.