First day of CanSecWest, meeting and conference for "white hat" hackers, and as always for some time now the efforts of all the participants in the inevitable competition for the unhinging of safety barriers have focused on iPhones which, as previously announced, falls.
The hack was carried out by Philipp Weinmann in collaboration with the Italian Vincenzo Iozzo who managed to steal the entire database of SMS messages from the victim iPhone, including those already deleted by the user.
The attack started with a visit to a (hypothetical) hacker-controlled website where the malicious code was hidden: the latter enters into operation and uploads all the SMS messages in memory, without the user having to notice it. A new technique studied for months thanks to which the two security experts won the prize of 15 thousand dollars.
Recall that Vincenzo Iozzo has already been a protagonist in the world of security for the discovery of some original attack systems in the first months of 2009. His technique for injecting malicious code into the RAM of a Mac OS X system was presented in the Black Hat Conference of the year last.
iPhone was not the only Apple product to drop. Keeping the tradition that uses the Apple as an advertising factor (both for the visibility of the brand and for the fact that Apple makes products safer in the vulgate) Safari on Mac has also been attacked. The Pwn2Own competition was won by the famous Charlie Miller, expert in Mac security at Independent Security Evaluators. On this occasion Miller did not provide details about the technique used for the new attack, specifying only that the victim computer was compromised after visiting a site containing malicious code. Miller was awarded the hacked Mac laptop and a $ 10,000 cash prize. Thanks to this new hack Charlie Miller the only hacker to have won the Pwn2Own for three consecutive years: we remember the prize of 10 thousand dollars in 2008 and of 5 thousand dollars in 2009 always with a hack in Safari.
The young hacker who managed to "pierce" Firefox, finally, known only by the name of Mils: the expert refused to provide the surname during the event. Nils won the $ 10,000 prize, while last year he had won $ 15,000 by demonstrating the hack on Internet Explorer 8, Safari and Firefox.
Finally, observers and security experts at Pwn2Own rated the hack performed by Peter Vreugdenhil to attack Internet Explorer 8 on a machine with Windows 7 as "technically impressive". The attack divided into 4 parts has overcome two technologies implemented just to avoid this type of threats made through browsers, sign ASLR ie the Address Space Layout Randomization and then also the DEP, from the initials of Data Execution Prevention. At the end of the operation, the hacker obtained the privileges of a user to perform any operation on the victim computer, which were used in the test to launch the execution of the Windows calculator.
Remember that TippingPoint the security company that organizes and finances Pwn2Own does not disclose the techniques used in hacks. The rights to the technologies and methods of attack become the property of TippingPoint which immediately communicates them to the builders and developers concerned who can thus resolve the flaws.
We also remember that these events, as mentioned well sponsored and with rich cash and hardware prizes, are prepared for months and months by hackers for whom winning the contest means taking home a good portion of your annual income. In many cases the techniques used are applicable are in very particular cases and even if they end with victories achieved in a few seconds they are completely irreproducible in a real life context, much less in the short time employed by hackers.