Backyard Aquaponics
A place to discuss aquaponics

A pair of European researchers used the spotlight of the CanSecWest Pwn2Own hacking contest to break into a fully patched iPhone and hijack the entire SMS database, including text messages that had already been deleted.

Using an exploit against a previously unknown vulnerability, the duo lured the target iPhone to a rigged Web site and exfiltrated the SMS database in about 20 seconds.

The exploit crashed the iPhone’s browser session but Weinmann (one of the hackers) said that, with some additional effort, he could have a successful attack with the browser running.

“Basically, every page that the user visits on our [rigged] site will grab the SMS database and upload it to a server we control,” Weinmann explained.

In addition to hijacking the SMS database, Weinmann said the exploit could have exfiltrated the phone contact list, the email database, photographs and iTunes music files.

In the iPhone sandbox, Weinmann said there’s a non-root user called ‘mobile’ with certain user privileges. “With this exploit, I can do anything that ‘mobile’ can do.”

Weinmann and Iozzo won a $15,000 cash prize and got the keep the hijacked iPhone.

P.s ... don't feel too bad... the same pair hacked IE8 running on windows 7 in about the same time... and won the overall comp...

Hmm sounds like someone is jealous they don't have an iphone

Maybe I shouldn't drive a car because someone might break into it and steal my diary from the glovebox.

It was bound to happen as it is a hugely popular device worldwide. It isn't going to stop me using mine though.

The things I can do with it over and above a normal phone outweigh the "will someone hack into me" concern.

Yep

Totally agree Embi
As a work tool it's ease of use and reliability are second to none
Apart from digging trenches and housework I have never found a task that cannot be carried out on my Iphone but I'm sure that an application will be available for those shortly

Many people are using their phones, not just the iPhone... for online banking and e-commerce...

And many assume that their personal details and credit card info are secure.... they're not... even on the iPhone, which was touted as being basically "unhackable"...

My contention... which some dismissed out of hand... is that any use of mobile phones... are not only hackable, but easily done...

Be cautious as to what you're prepared to use them for....iPhone or otherwise.... they are NOT secure devices... at all...

Just because a couple of researcher (who most definatly are not your ordinary hackers) downloaded some SMS info, does not meen hacking an iphone is easy. If it was easy there would be more of said problems. The bottom line is that any browser has vulnerability and with the right scripts you can access stuff usually in a predefined sandbox. And as with all browsers, in Safari you can disable JavaScript which would eleviate any risks, and your european researches would have gotton nada. The iphone is without question the most stable and safe platform available - unless of course you have a VAX11/780 running VMS in your garage.

Now unless an iphone is jailbroken, the only way to get software to run in shared memory out side of the sandbox is to get it certified by apple. Not many viruses and scams are going to make it through that processes. Heck - I've read where legit developers give up on the iphone as a platform as getting into the app store is difficult at best, near impossible for some.

Didn't post this thread so much to criticise the iPhone... it's a smick piece of technology...

No, I don't own one... I just don't need one... my current phone enables me to make calls and send/receive text messages... and that's good enough for me...

I posted more to try and counter the blased belief that most people have that...

Mobile phones (in general) are secure... and can't be monitored...

iPhones and/or the Mac OS are unhackable...and don't get viruses...

They ARE NOT....

I recently posted how an Australian hacker wrote a virus for the iPhone... and these guys hacked an "unaltered" iPhone... from within the iPhone's "sandbox".... at a "root level"... akin (like all Linux systems) to "superuser" priviledge...

A large majority of iPhones have been jailbroken.. and run unauthorised apps... and I believe this is potentially a major forthcoming source of virus dissemination...


Given the increasing usage of mobile devices, iPhone or others.... for online transactions... people need to be made aware... that they are not secure...

And that in fact almost anyone, with freely available software and a bit of just as easily obtained hardware... can monitor and trap your mobile data...

And that , while in this case these blokes were perhaps skilled researchers... it only took them 2 weeks to develope the exploit... and 20 secs to secure and redirect access... and to demonstrate that they could quite easily take full control of the device and your data...

Most professional hackers and virus writers have a level of skill that not only matches the people in this case... but goes way beyond... and many have links with dubious crime syndicates... usually for the purposes of identity theft...

I'm merely trying to warn people that the line..."the iphone is secure and unhackable"... and/or that mobile phone transmissions are secure.... just isn't true...

P.S... no I don't have a VAX11/780 in my basement... but I do have a dual Alphaserver cluster running VMS 8.1 ...

Sweet - Now I know why I like you so much!

PS - did my eyes decieve me, or did I catch a PDP vs VAX slip in there. The PDP 1170 was the launching ground for much of what know as computing today.

Yep... I did slip a "PDP" in there before I realised...

P.S ...Ive been a VMS System Manager from the days of VMS 3.0 through to about VMS7... and have played with every Digital model from the PDP through to the early days of the Alphaservers, even running NT 4.0...

I keep my hand in with my home system...

the best way to get someone to hack something is to advertise it's hacker proof, this is why MS put out so many updates and and service packs, if a program is writable then it's hackable, plenty of geeks out there with nothing else to do, most hacks are done by school aged teenagers, a few pirate forums (not that I use them) give people credits for hacking software and gaming programs and the hackers get a moment of fame, unfortunately for them the authorities now frequent such forums and recently an aussie got busted for uploading a PS (from memory) game that was released in OZ a week earlier than the rest of the world, he cracked the copy code and then blow arsed about it in a warez forum, the gaming company has estimated that they lost $20m by his actions and are suing him for it. I have a flash work supplied phone but use it as a phone only (+ MP3 player) it's fine being able to use it for browsing and social networking, but all that does is leaves you open to having your phone hacked and all stored information accessed, I know younger people that store PINS and bank info on their phone which to me is totally ridiculous, yes I do have some of that info on my PC but I have firewalls, a variety of trojan and malware scanners plus antivirus, my PC isn't switched on 24/7, I don't access social networking sites which are a good portal for hackers. Phone companies promote free access to facebook, twit ter etc again a good portal for hackers, twit users seem to post everything like "just transferring money" invite for a a hack attempt? have NFI why a phone can't be just a phone

waaaaa youre lying , my Mac is unhackable and never had a virus .
I dont beleive you la la la la Im not listening

I was just now looking in to getting one of the new credit card readers and an iPhone ( or android ) to plug it into - same price as renting a portable eftpos off the bank but with no extra fees , plus I get to use it as a phone aswell . now youre shooting my idea down in flames before I even begin . poop

heh Nocky - the "just transferring money" is just like people leaving their GPS's in their parked cars - it yells "Im not at home" to anyone breaking into the car then all they have to do is turn the gps on and click "go home" to find the address ...

The biggest threat to online transaction Boris... isn't so much the security of the devices at either end... but during the transmission of the data..

While most data has some encryption... most employ commonly known encryptions... and the hackers/private eyes/crooks and "other" security organisations... can all acccess pretty freely available tools to "evesdrop"...

The "Blackberry" actually has the best level of encryption and security of all the mobile devices...

Which is why many businesses, government agencies,security organisations and crooks... all use them...

never leave the GPS in car either Boris, mate had his stolen from car in city and they hit the home button drove to here a raided his house, left his gps on table with thanks written on piece of paper

man that is harsh, its bad enough that they took his car and raided his house but to rub it in like that is pretty low

glad i cant afford a gps

Cheers
pete