A pair of security researchers hijacked the entire SMS database of an iPhone in 20 seconds flat at the CanSecWest Pwn2Own hacking contest in Vancouver yesterday.
It’s the first time an iPhone has been hacked since the introduction of iPhone 2.0 in 2008.
Vincenzo Iozzo of the University of Luxembourg and Ralf Philipp Weinmann from Zynamics had the iPhone access a dodgy website and exploited an unknown vulnerability in the phone’s mobile Safari browser to perform the trick.
They bypassed the code signing and data execution prevention (DEP) technologies that prevent arbitrary code from running on the phone and defeat straightforward exploitation of buffer and heap overflow bugs.
To do this, they chained existing code bits in a technique known as ‘return-into-libc’ or ‘return-oriented-programming’.
“As far as we know, this is the first public demonstration of chained return-into-libc on the ARM platform,” said Zynamics’ Thomas Dullien.
The researchers were able to access the full SMS list – sent, received and even deleted messages. And they needn’t have stopped there, they say; the same technique could have been used to extract the phone contact list, email database, photos and iTunes music files.
We won’t hear much more about the details; the conference organisers say they’ll report to Apple and keep mum until a path has been issued.
Iozzo and Weinmann get to keep the phone, along with a $15,000 prize from the contest organisers.