Latest iPhone and Android both hacked at the Pwn2Own contest

September 21, 2012

These days when I’m not looking for the latest news about Vita and PS3 hacking, I am also highly interested in the hacking of other devices. One thing my past research on libtiff has shown me is that lots of devices share weaknesses, and it’s always interesting to see what’s going on outside of the console world. Android and iOS in particular get lots of attention because of the high amount of people using them, and the amount of personal information we trust these devices with. A few days ago at the EuSecWest conference (Amsterdam), two separate teams of researchers showed new exploits for the iPhone and Android respectively.

The Android hack sounds pretty impressive. Using NFC (a wireless communication standard for mobile devices), the hackers were able to upload a malicious file to the phone (they gave the precision that this could also potentially be done via email, or downloading a file through the browser), trigger an exploit, then gain access to the most interesting parts of the phone through privilege escalation, enough to install a crafted app that send the contents of the phone’s contact database to a remote “attacker”. One interesting bit is that the initial exploit (based on some memory corruption, this could be, for example, a buffer overflow like those we use typically in VHBL exploits) needed to be triggered 185 times in order for the Ram to be in a “good” state to trigger the next exploit (the privilege escalation).

The researchers mention that Android has all the latest Linux-like securities implemented, such as ASLR (Address Space Layout Randomization, a technique to prevent hackers from easily “guessing” what will be where in Ram. This is a technique that we believe the Vita OS uses as well since it is based on freebsd), but they were able to overcome that due to a few errors in the implementation of these security techniques.

The exploit itself will not be revealed until a patch is made for Android, but with the slow-as-hell update rate of Android devices, one has to wonder how long the vulnerability will be an actual threat.

The iOS exploit feels much straightforward, not because it was less technical, but because the hackers said they found the vulnerability AND exploited it in less than 3 weeks. They say the exploit works on the iPhone4S, the iPad, and is very likely to work on the iPhon5 as well.

More interestingly, the exploit is apparently in Webkit, the engine behind the iOS web browser. Were this is interesting and frightening is that Webkit is used by many browsers nowadays, not only the one on iOS, but Safari on PCs, Android too… (and, wink wink, the PS Vita as well).

This exploit could also represent quite a threat on unpatched devices. Of course, for some iPhone owners, this will probably mean a possibility to jailbreak, but this could also be a security threat leaving room for malware and other not-so-cool stuff. For Vita hackers, this could be a new entry point for a Vita native hack… historically, Sony has not been very fast at patching critical security issues on third-party components, but I don’t know how fast they would react for their latest device.

Any of you stuck on an old android version because of your carrier’s decisions?


Tweet this!Tweet this!

Previous post:

Next post: