Summary: How long would it take a determined attacker to
hack into Apple's iPhone 4S from scratch? A Dutch research team uses
the Pwn2Own contest to provide the answer.
AMSTERDAM -- How long would it take a determined attacker to hack into Apple's iPhone device from scratch?
That was the intellectual challenge that drove a pair of Dutch
researchers to start looking for an exploitable software vulnerability
that would allow them to hijack the address book, photos, videos and
browsing history from a fully patched iPhone 4S.
The hack, which netted a $30,000 cash prize at the mobile Pwn2Own
contest here, exploited a WebKit vulnerability to launch a drive-by
download when the target device simply surfs to a booby-trapped web
site.
"It took about three weeks, starting from scratch, and we were only
working on our private time," says Joost Pol (photo left), CEO of
Certified Secure,
a nine-person research outfit based in The Hague. Pol and his colleague
Daan Keuper used code auditing techniques to ferret out the WebKit bug
and then spent most of the three weeks chaining multiple clever
techniques to get a "clean, working exploit."
"We really wanted to see how much time it would take a motivated
attacker to do a clean attack against your iPhone. For me, that was the
motivation. The easy part was finding the WebKit zero-day," Pol said in
an interview.
"It was a basic vulnerability but we had to chain a lot of things
together to write the exploit," Pol said, making it clear that the
entire exploit only used a single zero-day bug to sidestep Apple's
strict code signing requirements and the less restrictive MobileSafari
sandbox.
The exploit itself took some jumping around. With the WebKit bug, which
was not a use-after-free flaw, the researchers had to trigger a
use-after-free scenario and then abuse that to trigger a memory
overwrite. Once that was achieved, Pol and Keuper used that memory
overwrite to cause a read/write gadget, which provided a means to
read/write to the memory of the iPhone. "Once we got that, we created a
new function to run in a loop and used JIT to execute the code without
signing," Keuper explained.
It was a clever end-around Apple's code signing requirements and Pol
described the entire exploit as "messing up the iPhone state internally
in such a fashion that we got a lot of little bugs."
"We specifically chose this one because it was present in iOS 6 which
means the new iPhone coming out today will be vulnerable to this
attack," Pol said. Over the course of the research, Pol and Keuper
tested the exploit on the iOS 6 GM (golden master) code and also
confirmed that it worked on the iPad, iPhone 4, iPod touch (all previous
versions).
Although the successful attack exposed the entire address book,
photo/video database and browsing history, Pol and Keuper said they did
not have access to the SMS or e-mail database. "Those are not accessible
and they're also encrypted," Keuper explained.
Despite obliterating the security in Apple's most prized product, Pol
and Keuper insists that the iPhone is the most secure mobile device
available on the market. "It just shows how much you should trust
valuable data on a mobile device. It took us three weeks, working from
scratch, and the iPhone is the most advanced device in terms of
security."
"Even the BlackBerry doesn't have all the security features that the
iPhone has. For example, BlackBerry also uses WebKit but they use an
ancient version. With code signing, the sandbox, ASLR and DEP, the
iPhone is much, much harder to exploit," Pol said matter-of-factly.
He reckons that the Android platform is also "much better" than
BlackBerry and said the decision to go after iPhone 4S at Pwn2Own was
simply aimed at going after the harder target.
"We really wanted to show that it is possible, limited time, with
limited resources, to exploit the hardest target. That's the big
message. No one should be doing anything of value on their mobile
phone," Pol said.
Pol said he never considered the value of the vulnerability and
exploit on the open market. "We have a successful company so money is
not our motivation. How much did we win? I don't even know for sure. We
are not in the business of selling zero-days. That's boring."
"It's really about the research to make a fair, transparent and open message that a motivated attacker will always win."
During the Pwn2Own attack, Pol created a web site that included an
amusing animation of the Certified Secure logo taking a bite of the
Apple logo. The drive-by download attack did not crash the browser so
the user was oblivious to the data being uploaded to the attacker's
remote server. "If this is an attack in the wild, they could embed the
exploit into an ad on a big advertising network and cause some major
damage."
The duo destroyed the exploit immediately after the Pwn2Own hack. "We
shredded it from our machine. The story ends here, we're not going to
use this again. It's time to look for a new challenge," Pol said.
He provided the vulnerability and proof-of-concept code that
demonstrates the risk to contest organizers at HP TippingPoint Zero Day
Initiative (ZDI).
Pol also wanted to make a larger point about vulnerablity research
and the way it is perceived in the industry. "You know, people think
that these things are so hard to do, that it's only theoretical and that
it's only Charlie Miller or Willem Pinckaers (previous Pwn2Own winners)
capable of doing this. There are many people -- good and bad -- who can
do this. It's important for people to understand, especially
businesses, that mobile devices should never be used for important
work."
"The CEO of a company should never be doing e-mail or anything of
value on an iPhone or a BlackBerry. It's simple as that. There are a lot
of people taking photos on their phones that they shouldn't be taking,"
Pol said, emphasising that a mass-attack using rigged ad networks could
be incredibly dangerous.
Bron:
zdnet
