Yesterday (Sept. 19) at the Mobile Pwn2Own contest at the EUSecWest conference in Amsterdam, a pair of Dutch security researchers successfully exploited a completely patched iPhone 4S.
The duo, Daan Keuper and Joost Pol from The Hague-based computer security company Certified Secure, said their proof-of-concept hack works on both iOS 5.1.1 and the version of iOS 6 that was given to developers several months ago.
Keuper and Pol said iPads are also vulnerable to this attack. While the two haven’t had a chance to test an iPhone 5 running the final build of iOS 6, it is likely also at risk, they told Computerworld.
The malicious code — technically, a drive-by download — took only a few weeks to create and can be embedded anywhere on a website to work, Pol said.
When placed in a graphic or advertisement on a blog visited by Mobile Safari, the code figures out a workaround for Safari’s sandboxing and signing mechanisms.
Users don’t need to do anything but visit the booby-trapped page for the malware to work. While the attack is able to steal a lot of sensitive data, email and SMS messages are separately encrypted and are not vulnerable to this particular attack.
Keuper and Pol wouldn’t reveal exactly how their attack works, but told ZDNet that it involved a zero-day exploit, one that’s not yet known to most security specialists.
They also told ZDNet that they wouldn’t do it again.
“We shredded it from our machine,” Pol said. “The story ends here. … It’s time to look for a new challenge.”
He said that BlackBerry and Android devices, which that run the same WebKit rendering in their browsers as iOS’s Safari, could also be open to this exploit, but haven’t been tested. Pol hopes Apple fixes the exploit soon and that users download the patch as soon as possible.
Last year, security researcher Charlie Miller snuck a malicious proof-of-concept app into Apple’s iTunes App Store that could also steal data from iPhones.
For their successful hack of Mobile Safari, Pol and Keuper together took home $30,000.