Never miss an update Follow AppleInsider
Thursday, March 25, 2010, 02:25 pm
Apple's iPhone, Safari exploited at annual hacking contest
Virtually every major browser and operating system were targets at this week's "Pwn2Own" hacking contest, with Apple Safari, Mozilla Firefox, and Internet Explorer 8 vulnerabilities exploited, along with flaws in the iPhone OS.On the first day of the competition based in Vancouver, British Columbia, Canada, researchers found a way to take advantage of Apple's Safari browser in Mac OS X 10.6 Snow Leopard, its latest operating system, according to CNet.
Unsurprisingly, Charlie Miller, principal security analyst with Independent Security Evaluators, took home the $10,000 prize after he hacked Safari on a MacBook Pro without having access to the machine. He's the same researcher who cracked Safari in Mac OS X last year, taking home the $5,000 prize. He also hacked a MacBook Air in 2008 at the competition.
Miller has also repeatedly said that he believes Macs are a safer alternative to Windows PCs for average users. He cited the lack of malware on the Mac platform as the principal reason for his recommendation.
Last year Miller also discovered an SMS hack in the iPhone that Apple quickly patched after it was made public. But researchers at this year's Pwn2Own found yet another SMS hack to take home a $15,000 prize.
Ralf-Phillip Weinmann, from the University of Luxembourg, and Vincenzo Iozzo, from German company gained access to an iPhone that was not "jailbroken," a procedure that allows users to run unauthorized code and unlock the handset for use on unapproved carriers.
By making a user visit a malicious Web site, the exploit allowed the researchers to access the phone's entire database of text messages, including deleted ones. The two wrote the hack in about two weeks, and the data was received in the competition in under 20 seconds.
The two said the hack could be modified to allow access to more data, such as contacts and photos. The transfer takes place without the victim ever knowing they have been hacked.
By accepting prizes at the Pwn2Own competition, put on by TippingPoint, the exploited methods are revealed only to the affected company so that they can patch the exploits.
Also hacked in this year's competition was Microsoft's Internet Explorer 8 browser. Peter Vreugdenhill, an independent security researcher from the Netherlands, took home a $10,000 prize by taking advantage of two vulnerabilities for a four-part hack that compromised the user's system.
Another person who went solely by Nils, the head of research MWR InfoSecurity in the U.K., discovered an exploit in Firefox in the 64-bit version of Windows 7. He took home a $10,000 prize.
On Topic: Mac OS X
- Apple releases first OS X 10.8.5 Mountain Lion beta to developers
- Parallels Desktop 8 updated to support Apple's OS X Mavericks
- Apple adds security enhancements to Java 6 in latest update
- OS X Mavericks' new App Nap, Timer Coalescing features target battery efficiency
- Adobe releases major update to Creative Cloud desktop apps
Previous Comments View All
Quote:
Originally Posted by Quadra 610 
It happens every year. it doesn't mean any more than it did the first time.
What counts is what's actually in the wild.
It happens every year. it doesn't mean any more than it did the first time.
What counts is what's actually in the wild.
Actually, I believe this is the first year the iPhone was pwnd.
Every browser (except chrome, evidently) has been pwnd pretty much every year.
Macs are more secure by a combination of superior security architecture (vs. MS) and smaller market share (less desirable target). Security by obscurity is not security tho'.
And Macs are just as susceptible to social engineering attacks as other platforms. The nasty payloads just haven't targeted the Mac community yet.
Problem is that this isn't really a true test of how easy it is to hack a Mac. I mean it took them two weeks prior to develop the exploits. NONE of the Mac hacks were done on the spot and some of the hacks won't work anyway because the latest patches fixed that.
No, what would be a true test would be if no one was allowed to bring anything, were not allowed to access a machine for a month prior to the contest, and then perform hacks onsite only. That would be a true test.
Quote:
Originally Posted by Quadra 610
Hackers in these contests pick Apple products to attack first in order to maximize publicity.
Hackers in these contests pick Apple products to attack first in order to maximize publicity.
I thought they picked Apple products because, if you hack it, you get the hardware.
Quote:
Originally Posted by anonymouse
I thought they picked Apple products because, if you hack it, you get the hardware.
I thought they picked Apple products because, if you hack it, you get the hardware.
That's also a plus.
Anyway, if a hacker has physical access to the machine, all bets are off.
What about Chrome, or have they given up trying on that one already... ?
So where's the 20 zero-day holes he was talking about like a week and a half ago ?!
The hackers don't really pick the Mac. The contest is fair. They draw positions. The organizers decide which devices go in what order. They don't just pick macs either. Firefox on Win 7, Explorer on Win 7, and Chrome on win 7 are also in the contest.
Quote:
Originally Posted by evo9
What about Chrome, or have they given up trying on that one already... ?
What about Chrome, or have they given up trying on that one already... ?
Chrome is next up. Hasn't been hacked because it is on today's agenda. The other were yesterday.
Quote:
Originally Posted by mstone
The hackers don't really pick the Mac. The contest is fair. They draw positions. The organizers decide which devices go in what order. They don't just pick macs either. Firefox on Win 7, Explorer on Win 7, and Chrome on win 7 are also in the contest.
The hackers don't really pick the Mac. The contest is fair. They draw positions. The organizers decide which devices go in what order. They don't just pick macs either. Firefox on Win 7, Explorer on Win 7, and Chrome on win 7 are also in the contest.
Well obviously then the organizers had it in for Apple. They chose Apple products to go first and be hacked by the best hackers. They probably even had keyloggers pre-installed.
Latest Apple Headlines
-
Apple releases first OS X 10.8.5 Mountain Lion beta to developers
~37 minutes ago -
New patent lawsuit targets Apple over iPhone 5's call forwarding feature
~2 hours ago -
Parallels Desktop 8 updated to support Apple's OS X Mavericks
~2 hours ago -
Researchers crack default iPhone Personal Hotspot passwords in under a minute
~4 hours ago -
Apple wins $30 million iPad contract from LA school district [u]
~4 hours ago - more...
Want to write for AppleInsider? Submit your application now!
| Model | White | Black | |
|---|---|---|---|
| iPad mini (WiFi only) | |||
| 16GB WiFi |  |
$329.00 | $329.00 |
| 32GB WiFi | |
$429.00 | $429.00 |
| 64GB WiFi | |
$529.00 | $529.00 |
| iPad mini (WiFi + 4G) | |||
 |
 |
 |
|
| 16GB 4G White | $459.00 | $459.00 | $459.00 |
| 32GB 4G White | $559.00 | $539.99 | $559.00 |
| 64GB 4G White | $659.00 | $659.00 | $629.99 |
| 16GB 4G Black | $459.00 | $459.00 | $459.00 |
| 32GB 4G Black | $559.00 | $539.99 | $539.99 |
| 64GB 4G Black | $659.00 | $659.00 | $629.99 |
Lowest Prices Anywhere!
| Model | Price | You Save |
|---|---|---|
| 11"1.3GHz/4GB/128GB | $964.18* | $34.82 |
| 11" 1.3GHz/8GB/128GB | $1,061.18* | $37.82 |
| 11" 1.3GHz/8GB/256GB | $1,255.18* | $43.82 |
| 11"1.7GHz/8GB/128GB | $1,206.68* | $42.32 |
| 11"1.7GHz/8GB/256GB | $1,400.68* | $48.32 |
| 11" 1.7GHz/8GB/512GB | $1,691.68* | $57.32 |
| 13" 1.3GHz/4GB/128GB | $1,061.18* | $37.82 |
| 13" 1.3GHz/4GB/256GB | $1,255.18* | $43.82 |
| 13" 1.3GHz/8GB/256GB | $1,352.18* | $46.82 |
| 13" 1.3GHz/8GB/512GB | $1,643.18* | $46.82 |
| 13" 1.7GHz/8GB/256GB | $1,497.00* | $52.00 |
| 13" 1.7GHz/8GB/512GB | $1,788.68* | $60.32 |
* price with Promo Code:
APPLEINSIDER01
|
||
| Click for even more configurations | ||
It happens every year. it doesn't mean any more than it did the first time.
What counts is what's actually in the wild.
Hackers in these contests pick Apple products to attack first in order to maximize publicity. The fact that hacking a Mac is so popular at these events, combined with the fact that zero self-propagating viruses have ever successfully attacked OS X users in the wild in over 9 years speaks volumes.