Experts hack iPhone SMS database in 20 sec
By siliconindia   |   Monday, 29 March 2010, 15:31 IST   |    2 Comments
Printer Print Email Email
Experts hack iPhone SMS database in 20 sec
Bangalore: Two security researchers have found an exploit to hack iPhone's SMS Database in 20 seconds, while displaying their skills at the Pwn2Own contest at the CanSecWest Security show. Ralf Philipp Weinmann of the University of Luxembourg and Vincenzo Iozzo of German company Zynamics found this exploit for the iPhone that won them $15,000 prize, reported ZDNet. iPhone was not the only thing to get hacked. Safari on Snow Leopard and Internet Explorer 8 as well as Firefox browsers on Windows 7 got hacked too, according to TechTree. Weinmann and Iozzo collaborated to finding vulnerability and then writing an exploit - the entire process took two weeks. As a part of the hack, iPhone users have to visit a website hosting malicious code and then steal iPhone's SMS database - all in the matter of 20 seconds! Weinmann explained, "Basically, every page that the user visits on our [rigged] site will grab the SMS database and upload it to a server we control". Thomas Dullien, Weimann's colleague explained that the attacker had potential to do more damage without leaving the iPhone Sandbox, a tightly-controlled set of resources for running unverified codes. The exploit was written to bypass the digital signatures for verifying if the code in memory is from Apple or not. Weinmann pointed out that there's a non-root user called 'mobile' with certain user privileges and using that exploit, he could can do anything that 'mobile' (non-root user) can do. Charlie Miller, principal security analyst at Independent Security Evaluators, found an exploit to hack Safari on a MacBook Pro without physically touching the machine and won $10,000 worth prize money.

siliconindia