Hackers at this year’s CanSecWest Pwn2Own contest will definitely break into an Apple iPhone by exploiting a remote code execution vulnerability.
That’s the prediction from Charlie Miller and Aaron Portnoy, two security researchers who are monitoring events leading to next week’s hacker challenge.
Portnoy, a vulnerability researcher at TippingPoint and an organizer of this year’s contest, believes the iPhone will be the only mobile device to fall despite a bigger bounty on smartphone vulnerabilities.
Here’s Portnoy’s public prediction:
While last year’s contest did not see any pwnage of the mobile devices, there have been a number of devices added to the list and with all the recent research on mobile phone security being presented worldwide, these devices are quickly becoming a ripe target. Plus, we announced the mobile targets with more lead time this year, so I don’t expect these to survive this go around. First to fall: the iPhone. Survivors: BlackBerry, Symbian, Android.
In a live chat on Threatpost, Charlie Miller provided more details around his iPhone-will-fall prediction:
Someone I know quite well says they have an exploit for it and plan on using it. But to answer your question in a more general way, from an exploitation perspective, iPhone is no harder than OS X now that Snow Leopard has DEP. In fact it is easier because it lacks ALSR all together. (Interstingly, there was a year when iPhone had DEP and OS X didn’t and so iPhone was way harder then). These statements are true for Pwn2Own at least.
In real life iPhone is harder because you can’t just exec a shell (since there is no /bin/sh). You have to write your return oriented payload to do all your dirty work, which can be a pain. In Pwn2Own, you just have to prove you have code running, not actually do something useful, so the bar is lower. The only thing iPhone has going for it, which coincidentally is stopping me from attacking it this year, is a smaller attack surface. There isn’t as much exposed code on the iPhone. Safari for Mac OS X can do anything, render any file, etc. Not so on iPhone. There are some file types MobileSafari can’t display, some they display incompletely, and of course, iPhone lacks Java and Flash which comes by default on Safari. The easy to exploit bugs I know about happen to live in the code that Safari (on OS X) has but MobileSafari doesn’t, so no go for me.
[ SEE: Charlie Miller on Mac OS X Security, Pwn2Own and Exploit Writing ]
Back in 2007, Miller was among the first to remotely exploit the iPhone using an SMS vulnerability. He is best known for exploiting Apple’s Safari browser to win back-to-back Pwn2Own challenges.
On Twitter, a pair of researchers — _snagg and esizkur — have publicly announced their plans to take aim at the iPhone.
Here are some additional predictions from Tippingpoint’s Portnoy:
- More Competitors, More Pwnage. In past years’ contests, we’ve had about 4-5 competitors – and they all signed up the day of the show. To date, we’ve had six participants register for the contest and expect a few more will sign up on site. These are some of the best and brightest minds in security research and I anticipate some very interesting (and successful) hack attempts on most of the targets we’ve outlined.
- Not Your Average Attack Vectors. To the point above, I fully expect some impressive exploits to come out of this competition. To fuel creativity and to make this more of a competition, we are not allowing the use of third-party plug-ins to aid in exploitation – at least on the first day. Third-party plug-ins – like Adobe Flash– introduce weaknesses that aid in exploitation of client-side vulnerabilities. This means that in order to defeat security controls such as Microsoft’s Data Execution Prevention (DEP) and/or Address Space Layout Randomization (ASLR), a contestant will have to write an impressive exploit. I expect to see such an exploit topple Internet Explorer 8 on Windows 7 early on in the contest.
- Chrome’s Sandbox Model Saves the Day. While Chrome is often affected by vulnerabilities due to its inclusion of the WebKit library, I predict the browser will remain untouched throughout Pwn2Own. This is due to the difficulty in producing an impactful exploit that can break out of the security sandbox. I predict its counterpart, Safari, will fall by Day 2.