Ralf-Philipp Weinmann & Vincenzo Iozzo own the iPhone at PWN2OWN

by

Hey all,

this is just a quick announcement that Ralf-Philipp Weinmann (a postdoctoral researcher at the University of Luxembourg) and Vincenzo Iozzo (a researcher at zynamics :-)) owned the iPhone at PWN2OWN today.

A bug in Safari was exploited that extracted the SMS database from the phone and uploaded it to a server.

Vincenzo will write more about the payload construction process once the dust settles — fittingly, the payload used chained return-into-libc (“return oriented programming”) on ARM to execute in spite of code signing. As far as we know, this is the first public demonstration of chainged return-into-libc on thre ARM platform.
I am happy and proud to be able to work with great people (Ralf happens to be a BinNavi/BinDiff user, and Vincenzo is “our youngest” employee).  Now we’ll celebrate for a bit and then prepare tomorrow’s talk.

Here’s a press release and ZDI’s blog post about pwn2own.

Cheers,

Halvar

37 Responses to “Ralf-Philipp Weinmann & Vincenzo Iozzo own the iPhone at PWN2OWN”

  1. Standaard iPhone 3GS op 3.1.3 als eerste gehackt op Pwn2Own - iPhone - iPhoneclub.nl Says:

    […] Windows 7 en Safari op Mac OS X gehackt tijdens de eerste dag van het evenement. Vincenzo Iozzo van Zynamics GmbH en Ralf Philipp Weinmann van de Universiteit van Luxemburg lieten op 19 april via Twitter al weten: […]

  2. The Iphone Spot» Blog Archive » iPhone Hacked At Pwn2Own Says:

    […] not enough: “The way they implement code-signing is too lenient.” You can see more technical information about the hack over on his […]

  3. iPhone hacked at Pwn2Own contest | Marthee's Tech News Says:

    […] the iPhone, but it's not enough: "The way they implement code-signing is too lenient." You can see more technical information about the hack over on his blog. The hackers aren't sharing exactly how they did the exploit — as specified by […]

  4. iPhone hacked at Pwn2Own contest | InfoFork.com Says:

    […] the iPhone, but it's not enough: "The way they implement code-signing is too lenient." You can see more technical information about the hack over on his blog. The hackers aren't sharing exactly how they did the exploit — as specified by […]

  5. iPhone hacked at Pwn2Own contest Says:

    […] the iPhone, but it's not enough: "The way they implement code-signing is too lenient." You can see more technical information about the hack over on his blog. The hackers aren't sharing exactly how they did the exploit — as specified by […]

  6. iPhone hacked at Pwn2Own contest | oQlz Blog Says:

    […] the iPhone, but it's not enough: "The way they implement code-signing is too lenient." You can see more technical information about the hack over on his blog. The hackers aren't sharing exactly how they did the exploit — as specified by […]

  7. iPhone hacked at Pwn2Own contest | Apple latest news Says:

    […] the iPhone, but it's not enough: "The way they implement code-signing is too lenient." You can see more technical information about the hack over on his blog. The hackers aren't sharing exactly how they did the exploit — as specified by […]

  8. » iPhone hacked at Pwn2Own contest Says:

    […] not enough: “The way they implement code-signing is too lenient.” You can see more technical information about the hack over on his […]

  9. iPhone hacked at Pwn2Own contest – ComputerUser.ca Says:

    […] the iPhone, but it's not enough: "The way they implement code-signing is too lenient." You can see more technical information about the hack over on his blog. The hackers aren't sharing exactly how they did the exploit — as specified by […]

  10. iPhone hacked at Pwn2Own contest | Design City Says:

    […] not enough: “The way they implement code-signing is too lenient.” You can see more technical information about the hack over on his blog. The hackers aren’t sharing exactly how they did the exploit — as […]

  11. iPhone hacked at Pwn2Own contest | Free iPad - One Time Offer! Says:

    […] not enough: “The way they implement code-signing is too lenient.” You can see more technical information about the hack over on his […]

  12. iPhone Hacked At Pwn2Own | THE Tech Scoop Says:

    […] but it’s not enough: "The way they implement code-signing is too lenient." You can see more technical information about the hack over on his blog. The hackers aren’t sharing exactly how they did the exploit — as […]

  13. Un italiano ed un collega violano l’iPhone in 20 secondi | setteB.IT Says:

    […] Ralf-Philipp Weinmann e Vincenzo Iozzo si sono concentrati su un iPhone 3GS standard con OS 3.1.3, attraverso Safari hanno raggiunto l’intero database SMS. Settimana successiva Settimana precedente […]

  14. iPhone hacked at Pwn2Own contest « Apple « Apple News Fan Page Says:

    […] not enough: “The approach they exercise code-signing is as well lenient.” You can see more technical inform about a hack over upon his […]

  15. iPhone Hacked Fast at Pwn2Own 2010 Says:

    […] doing an excellent job covering the event.  And for insight on how the hack works you can read it here. Nicholas TarnowskyNicholas Tarnowsky is the new contributing smartphone/gadget Editor. He has […]

  16. MacZonen.dk | iPhone hacket på 20 sekunder Says:

    […] i dag skal diskuteres på konferencen, men det er TippingPoint Zero-Day Initiative der har “retten” til sikkerhedshulelt i […]

  17. En iPhone ble hacket på bare 20 sekunder « What's Up Says:

    […] Arrangementet går over tre dager, og deltakerne fikk prøve seg på flere plattformer. Denne gangen ble Hackere Vincenzo Iozzo og Ralf Philipp Weinmann lagt merke til da de hacket en iPhone som tillot dem å sende en iPhone til en nettside som de hadde satt opp, og deretter kopieres hele SMS-databasen på den aktuelle iPhone inkludert sletting av tekst meldinger til deres egen server. Alle som var gjort på under 20 sekunder! They were assisted by hacker Halvar Flake, who says Apple does have some protection in place for running malicious code on the iPhone, but it doesn’t cut it. “The way they implement code-signing is too lenient.” Weinmann and Iozzo won a $15,000 cash prize and got the keep the hijacked iPhone. For a full rundown on all the events, Ryan Naraine from ZDnet has been on the scene and doing an excellent job covering the event. And for insight on how the hack works you can read it here. […]

  18. » El SMS en el iPhone, hackeado Canal Apple Says:

    […] de los primeros premios otorgados en la conferencia de seguridad CamSec West va al italiano Vicenzo Iozzo y a Ralph Phillipp Weinmann de Luxemburgo, tras lograr el hackeo de la […]

  19. Digital Photography? | geek-news.co.uk Says:

    […] Ralf-Philipp Weinmann & Vincenzo Iozzo own the iPhone at PWN2OWN … […]

  20. iPhone 3GS 3.1.3 gehacked op Pwn2Own « Blog on News, Gadgets and Technology Says:

    […] Windows 7 en Safari op Mac OS X gehackt tijdens de eerste dag van het evenement. Vincenzo Iozzo van Zynamics GmbH en Ralf Philipp Weinmann van de Universiteit van Luxemburg lieten op 19 maart via Twitter al weten: […]

  21. Iphone 3GS 3.1.3 Gehacked « Blog on News, Gadgets and Technology Says:

    […] Windows 7 en Safari op Mac OS X gehackt tijdens de eerste dag van het evenement. Vincenzo Iozzo van Zynamics GmbH en Ralf Philipp Weinmann van de Universiteit van Luxemburg lieten op 19 maart via Twitter al weten: […]

  22. Apple-Overload! » iPhone hacked at Pwn2Own contest Says:

    […] not enough: “The way they implement code-signing is too lenient.” You can see more technical information about the hack over on his […]

  23. iPhone Hacked At Pwn2Own : The Crimson Skull Says:

    […] not enough: “The way they implement code-signing is too lenient.” You can see more technical information about the hack over on his […]

  24. Plaats hier software gerelateerd nieuws! - Page 19 Says:

    […] exploit komt niet uit de iPhone sandbox", aldus Flake. Toch kan een aanvaller nog voldoende schade doen. "Apple heeft behoorlijke goede tegenmaatregelen, maar het is duidelijk niet voldoende. […]

  25. Cruise West Small Ships | Alaska Cruise Line Says:

    […] Ralf-Philipp Weinmann & Vincenzo Iozzo own the iPhone at PWN2OWN … […]

  26. After burning the candle well … Says:

    […] Ralf-Philipp Weinmann & Vincenzo Iozzo own the iPhone at PWN2OWN … […]

  27. iPhone 3GS op 3.1.3 gehacked « Blog on News, Gadgets and Technology Says:

    […] Windows 7 en Safari op Mac OS X gehackt tijdens de eerste dag van het evenement. Vincenzo Iozzo van Zynamics GmbH en Ralf Philipp Weinmann van de Universiteit van Luxemburg lieten op 19 maart via Twitter al weten: […]

  28. Researchers Show How to Remotely Steal Pics, SMS Texts From iPhone « Interesting finds Says:

    […] He posts more details on a blog here. […]

  29. Top Posts — WordPress.com Says:

    […] Ralf-Philipp Weinmann & Vincenzo Iozzo own the iPhone at PWN2OWN Hey all, this is just a quick announcement that Ralf-Philipp Weinmann (a postdoctoral researcher at the University of […] […]

  30. iPhone SMS Hack at Pwn2Own, Safari bug Allows the Jailbreak OS 3.1.3, Firmware Update Soon | Apple Says:

    […] details have now been announced for the iPhone exploit  "This year, Iozzo and Weinmann had to put in extra effort to bypass the" code […]

  31. Pwn2Own 2010 Says:

    […] konnte. Peter Vreugdenhill besiegte den Internet Explorer 8 auf einem Windows 7 Betriebssystem, und Iozzo und Weinmann gelang es erstmals auch ein Mobilfunkgerät, nämlich das I-Phone zu […]

  32. Pwn2Own Contest 2010 | Cyber World Says:

    […] On the Zynamics blog, Flake celebrated: […]

  33. iPhone hacked at Pwn2Own contest | ~ ReviewMyGadgets ~ | Symbian S60v5 Application | Symbian S60v5 Games | Symbian S60v5 Themes |Symbian S60v5 Downloads |Symbian S60v5 Troubleshoot |All About Nokia Reviews | Themes | Wallpapers | Games | Tips n Tricks | F Says:

    […] not enough: “The way they implement code-signing is too lenient.” You can see more technical information about the hack over on his […]

  34. iPhone News : iPhone hacked at Pwn2Own contest Says:

    […] not enough: “The way they implement code-signing is too lenient.” You can see more technical information about the hack over on his […]

  35. Apple iPhone And Popular Browsers Exposed in Hacking Contest | eWEEK Europe UK Says:

    […] “A bug in Safari was exploited that extracted the SMS database from the phone and uploaded it to a server,” Zynamics CEO Halvar Flake explained in a blog post. […]

  36. iphone4 Says:

    iphone4…

    […]Ralf-Philipp Weinmann & Vincenzo Iozzo own the iPhone at PWN2OWN « blog.zynamics.com[…]…

  37. Hack Cubby Says:

    Hack Cubby…

    […]Ralf-Philipp Weinmann & Vincenzo Iozzo own the iPhone at PWN2OWN « blog.zynamics.com[…]…

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Follow

Get every new post delivered to your Inbox.

Join 39 other followers

%d bloggers like this: