Latest iPhone and Android both hacked at the Pwn2Own contest

These days when I’m not looking for the latest news about Vita and PS3 hacking, I am also highly interested in the hacking of other devices. One thing my past research on libtiff has shown me is that lots of devices share weaknesses, and it’s always interesting to see what’s going on outside of the console world. Android and iOS in particular get lots of attention because of the high amount of people using them, and the amount of personal information we trust these devices with. A few days ago at the EuSecWest conference (Amsterdam), two separate teams of researchers showed new exploits for the iPhone and Android respectively.

The Android hack sounds pretty impressive. Using NFC (a wireless communication standard for mobile devices), the hackers were able to upload a malicious file to the phone (they gave the precision that this could also potentially be done via email, or downloading a file through the browser), trigger an exploit, then gain access to the most interesting parts of the phone through privilege escalation, enough to install a crafted app that send the contents of the phone’s contact database to a remote “attacker”. One interesting bit is that the initial exploit (based on some memory corruption, this could be, for example, a buffer overflow like those we use typically in VHBL exploits) needed to be triggered 185 times in order for the Ram to be in a “good” state to trigger the next exploit (the privilege escalation).

The researchers mention that Android has all the latest Linux-like securities implemented, such as ASLR (Address Space Layout Randomization, a technique to prevent hackers from easily “guessing” what will be where in Ram. This is a technique that we believe the Vita OS uses as well since it is based on freebsd), but they were able to overcome that due to a few errors in the implementation of these security techniques.

The exploit itself will not be revealed until a patch is made for Android, but with the slow-as-hell update rate of Android devices, one has to wonder how long the vulnerability will be an actual threat.

The iOS exploit feels much straightforward, not because it was less technical, but because the hackers said they found the vulnerability AND exploited it in less than 3 weeks. They say the exploit works on the iPhone4S, the iPad, and is very likely to work on the iPhon5 as well.

More interestingly, the exploit is apparently in Webkit, the engine behind the iOS web browser. Were this is interesting and frightening is that Webkit is used by many browsers nowadays, not only the one on iOS, but Safari on PCs, Android too… (and, wink wink, the PS Vita as well).

This exploit could also represent quite a threat on unpatched devices. Of course, for some iPhone owners, this will probably mean a possibility to jailbreak, but this could also be a security threat leaving room for malware and other not-so-cool stuff. For Vita hackers, this could be a new entry point for a Vita native hack… historically, Sony has not been very fast at patching critical security issues on third-party components, but I don’t know how fast they would react for their latest device.

Any of you stuck on an old android version because of your carrier’s decisions?

Source: Computerworld.com, mwrinfosecurity.com

  1. TechWolf’s avatar

    Good writeup. One has to take the goods with the bads these days with their technology. I keep my saved personal data to a minimum on my androids and iOS devices for this very reason. I must admit, though, new hacks and exploits are always welcome when it comes to my favorite gaming devices. :D

    Reply

  2. SofaKing™’s avatar

    good stuff, i hope this will help in the development of a more permanent homebrew loader.

    Reply

  3. fate6’s avatar

    holly **** they exploited webkit!!!! 0__0
    well played I say :3

    Reply

  4. Jd8531’s avatar

    Speaking of news, supposedly Naehrwert got level 2 Kernel access on PS3. Im still looking into it….

    Reply

    1. wololo’s avatar

      He gave the precision himself (twitter) that this was not “such a big deal”. It’s some improvement, but it could lead to nothing if nobody spends a good amount of time investigating if the thing is exploitable or not. That’s how I understand it.

      Reply

      1. Jd8531’s avatar

        I just got on twitter and saw that and He also gave some more information on his wordpress. nwert.wordpress.com/2012/09/19/exploiting-lv2/
        Seems people and sites like to twist the facts -_-

        Reply

  5. natsu’s avatar

    I use an international version of galaxy note and it is unlocked so i can manually flash roms, kernel and whatnot.. =)

    Reply

  6. qwikrazor87’s avatar

    185 times?! It makes the ChickHen tiff exploit seems less burdensome. lol

    Reply

    1. wololo’s avatar

      Lol yeah, except I assume the 185 times are in an automated loop.

      Reply

  7. Telgar’s avatar

    Nice article Wololo, I like how your website keeps us up to date on a lot of things like this, not just on vita hacking. More enjoyable to visit then the other hacking websites that can feel dead for days or weeks on end.

    Reply

    1. 3rdroyd’s avatar

      Absolutely Agree!

      Reply

  8. lerica’s avatar

    nice article.. for consoles it’s relatively fast patch or at least consoles has the patch even it’s late unlike old smartphone where it’s unsupported after sometime

    Reply

  9. Wrozen’s avatar

    Yea, I’m an HTC Thunderbolt owner on Gingerbread 2.3.4 because HTC is a month past their ICS release date, but their still promising it (eventually). I would use a ICS rom but none are good enough for me.

    Reply

  10. SSJ-Vita’s avatar

    I just wanted to throw this out there, I think it would do magic for the sales of the Ouya: Have the option for a wii u like console/controller for it. But the real kicker would be a slot for a sim card with phone capabilities. I wish my vita could be a phone or at least a mini windows 7.

    Reply

  11. solidsnake’s avatar

    Any word on hacking my corded wall phone, or am I safe?

    Reply

  12. solidsnake’s avatar

    what about my typewriter, walkman, and vcr

    Reply

  13. Simon Davies’s avatar

    You never have to be stuck on an old Android Version Wololo as we have CyanogenMod :)

    Reply

Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>