iPhone and BlackBerry brought down in hacker competition Smartphones from Apple and Research in Motion were the latest devices to take a beating at an annual hacker contest that has come to expose the inherent weaknesses of internet communication. Apple's iPhone 4 was brought down by a drive-by attack that exploited a heap overflow in code related to the handset's Safari browser. It …
Just because 'droid and FF weren't attacked, I don't see them being winners. We didn't learn anything about their vulnerability to attack because the people lined up have not stated why they withdrew.
It could be that their exploit was patched, but it could be for any number of other reasons including agreements with third parties to not disclose the hack - also for any number of reasons.
Really, getting a message past a spam filter to trick a user into going to a custom crafted website just to gain access the contact list? it can't gain admin access, it can't install remote code, it can't be remotely controlled to do anything, it can't access e-mail or the user local file system where data of VALUE is; these hacks are just pointing out exploits but even these top hackers and teams of hackers can't use an automated tool to remotely breach actual device security.
Who cares if my contact list gets siphoned off... It;s e-mail addresses, physical addresses, names and numbers. 99% of that is already floating around out there anyway (much of it and more in PUBLIC record). If you;re storing account numbers and password and such in your contacts, or sending them through unsecured SMS, you;re already a moron.
When they can have a bot install remote code and key-log the iPhone's virtual keyboard, or access the files in local storage, we'll call them winners.
I applaud the effort for finding these vulnerabilities, even more so that it's done with specific intent to provide the manufacturer's time to fix them, and with this contest and ones like it to continue, but lets not let the press blow things out of proportion here... Its far easier to get a virus into an android device simply by uploading it through the marketplace than it is to steal some names and numbers here through actual hacking and trickery... The encrypted parts of the iPhone have NEVER ONCE been breached, permission escalation has never been achieved, and remote code installation equally so. The only real "hacK' of these things ever shown was either given PHYSICAL access to it, or used a loophole in a jailbreak that left SSH Server running with a default published root password (oops).
Read it again, please.
"Willem Pinckaers, a researcher with security firm Matasano, and independent researcher Vincenzo Iozzo were able to steal a complete contact list and and cache of pictures stored on the device and write a file to its storage system."
Be mighty interesting if a spear-phishing expedition managed to do this to the personal phone of a highly placed executive, wouldn't it? Perhaps get some interesting pictures of the missus? On the business end, a list of business contacts would be of prime interest to competitors. It shows who your suppliers are, who your customers are, and who may be more than just that. Plant some child porn on the phone perhaps, get them banged up for a few years on an anonymous tip?
The goal of the contest was to prove that it was possible to break past the security. You are talking about weaponizing the exploit, which is beyond the scope of this contest. No, the sky is not falling. The Emperor does have clothes on. But the draft suggests they may be a hospital gown.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
