Ralf-Philipp Weinmann & Vincenzo Iozzo own the iPhone at PWN2OWN

Hey all,

this is just a quick announcement that Ralf-Philipp Weinmann (a postdoctoral researcher at the University of Luxembourg) and Vincenzo Iozzo (a researcher at zynamics :-)) owned the iPhone at PWN2OWN today.

A bug in Safari was exploited that extracted the SMS database from the phone and uploaded it to a server.

Vincenzo will write more about the payload construction process once the dust settles — fittingly, the payload used chained return-into-libc (“return oriented programming”) on ARM to execute in spite of code signing. As far as we know, this is the first public demonstration of chainged return-into-libc on thre ARM platform.
I am happy and proud to be able to work with great people (Ralf happens to be a BinNavi/BinDiff user, and Vincenzo is “our youngest” employee).  Now we’ll celebrate for a bit and then prepare tomorrow’s talk.

Here’s a press release and ZDI’s blog post about pwn2own.

Cheers,

Halvar

37 Responses to “Ralf-Philipp Weinmann & Vincenzo Iozzo own the iPhone at PWN2OWN”

  1. […] Windows 7 en Safari op Mac OS X gehackt tijdens de eerste dag van het evenement. Vincenzo Iozzo van Zynamics GmbH en Ralf Philipp Weinmann van de Universiteit van Luxemburg lieten op 19 april via Twitter al weten: […]

  2. […] not enough: “The way they implement code-signing is too lenient.” You can see more technical information about the hack over on his […]

  3. […] the iPhone, but it's not enough: "The way they implement code-signing is too lenient." You can see more technical information about the hack over on his blog. The hackers aren't sharing exactly how they did the exploit — as specified by […]

  4. […] the iPhone, but it's not enough: "The way they implement code-signing is too lenient." You can see more technical information about the hack over on his blog. The hackers aren't sharing exactly how they did the exploit — as specified by […]

  5. […] the iPhone, but it's not enough: "The way they implement code-signing is too lenient." You can see more technical information about the hack over on his blog. The hackers aren't sharing exactly how they did the exploit — as specified by […]

  6. […] the iPhone, but it's not enough: "The way they implement code-signing is too lenient." You can see more technical information about the hack over on his blog. The hackers aren't sharing exactly how they did the exploit — as specified by […]

  7. […] the iPhone, but it's not enough: "The way they implement code-signing is too lenient." You can see more technical information about the hack over on his blog. The hackers aren't sharing exactly how they did the exploit — as specified by […]

  8. […] not enough: “The way they implement code-signing is too lenient.” You can see more technical information about the hack over on his […]

  9. […] the iPhone, but it's not enough: "The way they implement code-signing is too lenient." You can see more technical information about the hack over on his blog. The hackers aren't sharing exactly how they did the exploit — as specified by […]

  10. […] not enough: “The way they implement code-signing is too lenient.” You can see more technical information about the hack over on his blog. The hackers aren’t sharing exactly how they did the exploit — as […]

  11. […] not enough: “The way they implement code-signing is too lenient.” You can see more technical information about the hack over on his […]

  12. […] but it’s not enough: "The way they implement code-signing is too lenient." You can see more technical information about the hack over on his blog. The hackers aren’t sharing exactly how they did the exploit — as […]

  13. […] Ralf-Philipp Weinmann e Vincenzo Iozzo si sono concentrati su un iPhone 3GS standard con OS 3.1.3, attraverso Safari hanno raggiunto l’intero database SMS. Settimana successiva Settimana precedente […]

  14. […] not enough: “The approach they exercise code-signing is as well lenient.” You can see more technical inform about a hack over upon his […]

  15. […] doing an excellent job covering the event.  And for insight on how the hack works you can read it here. Nicholas TarnowskyNicholas Tarnowsky is the new contributing smartphone/gadget Editor. He has […]

  16. […] i dag skal diskuteres på konferencen, men det er TippingPoint Zero-Day Initiative der har “retten” til sikkerhedshulelt i […]

  17. […] Arrangementet går over tre dager, og deltakerne fikk prøve seg på flere plattformer. Denne gangen ble Hackere Vincenzo Iozzo og Ralf Philipp Weinmann lagt merke til da de hacket en iPhone som tillot dem å sende en iPhone til en nettside som de hadde satt opp, og deretter kopieres hele SMS-databasen på den aktuelle iPhone inkludert sletting av tekst meldinger til deres egen server. Alle som var gjort på under 20 sekunder! They were assisted by hacker Halvar Flake, who says Apple does have some protection in place for running malicious code on the iPhone, but it doesn’t cut it. “The way they implement code-signing is too lenient.” Weinmann and Iozzo won a $15,000 cash prize and got the keep the hijacked iPhone. For a full rundown on all the events, Ryan Naraine from ZDnet has been on the scene and doing an excellent job covering the event. And for insight on how the hack works you can read it here. […]

  18. […] de los primeros premios otorgados en la conferencia de seguridad CamSec West va al italiano Vicenzo Iozzo y a Ralph Phillipp Weinmann de Luxemburgo, tras lograr el hackeo de la […]

  19. […] Ralf-Philipp Weinmann & Vincenzo Iozzo own the iPhone at PWN2OWN … […]

  20. […] Windows 7 en Safari op Mac OS X gehackt tijdens de eerste dag van het evenement. Vincenzo Iozzo van Zynamics GmbH en Ralf Philipp Weinmann van de Universiteit van Luxemburg lieten op 19 maart via Twitter al weten: […]

  21. […] Windows 7 en Safari op Mac OS X gehackt tijdens de eerste dag van het evenement. Vincenzo Iozzo van Zynamics GmbH en Ralf Philipp Weinmann van de Universiteit van Luxemburg lieten op 19 maart via Twitter al weten: […]

  22. […] not enough: “The way they implement code-signing is too lenient.” You can see more technical information about the hack over on his […]

  23. […] not enough: “The way they implement code-signing is too lenient.” You can see more technical information about the hack over on his […]

  24. […] exploit komt niet uit de iPhone sandbox", aldus Flake. Toch kan een aanvaller nog voldoende schade doen. "Apple heeft behoorlijke goede tegenmaatregelen, maar het is duidelijk niet voldoende. […]

  25. […] Ralf-Philipp Weinmann & Vincenzo Iozzo own the iPhone at PWN2OWN … […]

  26. […] Ralf-Philipp Weinmann & Vincenzo Iozzo own the iPhone at PWN2OWN … […]

  27. […] Windows 7 en Safari op Mac OS X gehackt tijdens de eerste dag van het evenement. Vincenzo Iozzo van Zynamics GmbH en Ralf Philipp Weinmann van de Universiteit van Luxemburg lieten op 19 maart via Twitter al weten: […]

  28. […] Ralf-Philipp Weinmann & Vincenzo Iozzo own the iPhone at PWN2OWN Hey all, this is just a quick announcement that Ralf-Philipp Weinmann (a postdoctoral researcher at the University of […] […]

  29. […] details have now been announced for the iPhone exploit  "This year, Iozzo and Weinmann had to put in extra effort to bypass the" code […]

  30. […] konnte. Peter Vreugdenhill besiegte den Internet Explorer 8 auf einem Windows 7 Betriebssystem, und Iozzo und Weinmann gelang es erstmals auch ein Mobilfunkgerät, nämlich das I-Phone zu […]

  31. […] On the Zynamics blog, Flake celebrated: […]

  32. […] not enough: “The way they implement code-signing is too lenient.” You can see more technical information about the hack over on his […]

  33. […] “A bug in Safari was exploited that extracted the SMS database from the phone and uploaded it to a server,” Zynamics CEO Halvar Flake explained in a blog post. […]

  34. iphone4 says:

    iphone4…

    […]Ralf-Philipp Weinmann & Vincenzo Iozzo own the iPhone at PWN2OWN « blog.zynamics.com[…]…

  35. Hack Cubby…

    […]Ralf-Philipp Weinmann & Vincenzo Iozzo own the iPhone at PWN2OWN « blog.zynamics.com[…]…