Feeds

back to article iPhone and BlackBerry brought down in hacker competition

Smartphones from Apple and Research in Motion were the latest devices to take a beating at an annual hacker contest that has come to expose the inherent weaknesses of internet communication. Apple's iPhone 4 was brought down by a drive-by attack that exploited a heap overflow in code related to the handset's Safari browser. It …

COMMENTS

This topic is closed for new posts.
Anonymous Coward

Under contest rules, software versions were locked two weeks ago

So when did google patch Jon Oberheide's vuln? since it was only last week that the issue surfaced in the media...

He could be double doh'd if his vuln is still in the contest version.

0
0
Thumb Up

RE: AC

His vulnerablility on affects anything running before 2.3 so it wouldn't work on the Galaxy S anyway.

Big winners here: Android and Firefox!

0
0

In what way are they winners?

Just because 'droid and FF weren't attacked, I don't see them being winners. We didn't learn anything about their vulnerability to attack because the people lined up have not stated why they withdrew.

It could be that their exploit was patched, but it could be for any number of other reasons including agreements with third parties to not disclose the hack - also for any number of reasons.

1
0
Anonymous Coward

Why not Firefox or Android?

Seems odd that no-one wanted to try their hand at either of the two open source platforms.

Was it because :

Having the source code made it too easy?

Having the source code made obvious it would be too hard?

Or just that no-one could be bothered?

0
1
Gold badge
WTF?

Historical figures.

"....compared their task........to finding their way through a labyrinth in the pitch dark..."

So Theseus was the world's first hacker then?

1
0
Silver badge
Happy

How about a real tough one: RSA 4.096 bit with AES 256

Anyone cracking this baby will really be popular with the U.S. Federal Government as they hang a hell of a lot of stuff on this.

Worth a damn sight more than USD$15.000!

1
0
Silver badge
Grenade

the big fear

That is the big fear is that these vuln are now worth a lot more than 10 or 15k to the right people (Chinese, Israel, Russian mob, etc). Perhaps this why we see only the low hanging fruit (honestly with IE how hard is it to find one of dozen of vulns) compromised.

0
0
Flame

Perfect description of a BlackBerry

“It's a system that no one knows anything about. Basically, it crashes or it doesn't crash, or it takes a very long time to respond. Those are the three options. So you have to (move) very slowly, one step at a time.”

Heh.

0
0
Silver badge

So...

Adding the WebKit browser to the BB OS actually made it *less* secure?

Geeze, looks like RIM is trading security for "shiny!" now. :(

0
0

What's in a hack?

Really, getting a message past a spam filter to trick a user into going to a custom crafted website just to gain access the contact list? it can't gain admin access, it can't install remote code, it can't be remotely controlled to do anything, it can't access e-mail or the user local file system where data of VALUE is; these hacks are just pointing out exploits but even these top hackers and teams of hackers can't use an automated tool to remotely breach actual device security.

Who cares if my contact list gets siphoned off... It;s e-mail addresses, physical addresses, names and numbers. 99% of that is already floating around out there anyway (much of it and more in PUBLIC record). If you;re storing account numbers and password and such in your contacts, or sending them through unsecured SMS, you;re already a moron.

When they can have a bot install remote code and key-log the iPhone's virtual keyboard, or access the files in local storage, we'll call them winners.

I applaud the effort for finding these vulnerabilities, even more so that it's done with specific intent to provide the manufacturer's time to fix them, and with this contest and ones like it to continue, but lets not let the press blow things out of proportion here... Its far easier to get a virus into an android device simply by uploading it through the marketplace than it is to steal some names and numbers here through actual hacking and trickery... The encrypted parts of the iPhone have NEVER ONCE been breached, permission escalation has never been achieved, and remote code installation equally so. The only real "hacK' of these things ever shown was either given PHYSICAL access to it, or used a loophole in a jailbreak that left SSH Server running with a default published root password (oops).

0
1
Stop

Bollocks

Read it again, please.

"Willem Pinckaers, a researcher with security firm Matasano, and independent researcher Vincenzo Iozzo were able to steal a complete contact list and and cache of pictures stored on the device and write a file to its storage system."

Be mighty interesting if a spear-phishing expedition managed to do this to the personal phone of a highly placed executive, wouldn't it? Perhaps get some interesting pictures of the missus? On the business end, a list of business contacts would be of prime interest to competitors. It shows who your suppliers are, who your customers are, and who may be more than just that. Plant some child porn on the phone perhaps, get them banged up for a few years on an anonymous tip?

The goal of the contest was to prove that it was possible to break past the security. You are talking about weaponizing the exploit, which is beyond the scope of this contest. No, the sky is not falling. The Emperor does have clothes on. But the draft suggests they may be a hospital gown.

2
0
FAIL

chain together jailbreakme.com ... ?

I'm sure if the writer of jailbreakme.com had put their mind to it for iOS 4.0, they could have pwned any of those devices that used the site to execute jailbreaks and then nav the filesystem to get whatever they wanted.

0
0
This topic is closed for new posts.