Contestants at the “Pwn2Own” competition successfully hacked an iPhone 4 and a BlackBerry, underscoring the ongoing security issues with smartphones.
Three researchers working together exploited a vulnerability in a BlackBerry’s WebKit browser engine, of particular significance since both Apple and Google use WebKit code in their mobile browsers.
Charlie Miller and Dion Blazakis hacked the previous version of Apple’s iOS on the iPhone with a vulnerability that could be exploited just by visiting a malicious web page. Apple’s new version of its iOS system, released during the contest, only partially addresses the problem.
“The vulnerability I found is still in there, but it would be harder to write for it today than it would have been a few days ago,” Miller said.
The results highlight that smartphones are vulnerable to hacks that could be used to steal personal and financial information from users to commit fraud and identity theft. Infected apps in the Android Market made headlines recently, but the flaws exploited in the contest show that other platforms are also vulnerable.
Bugs in web browsers are particularly insidious because users don’t even have to install apps to be infected with viruses — just visiting the wrong web page will do so. Such “drive-by” attacks bypass the security of carefully monitored app stores like Apple’s.
A researcher who planned to attack a Windows 7 Phone handset withdrew at the last minute, and nobody attempted to hack the Android target.
The contest, sponsored by a division of HP, is designed to draw attention to security issues and help patch them before malware writers exploit them. The winners took home $15,000 and the phones they successfully exploited. Participants are not allowed to discuss the bugs they used to hack the devices until the affected companies have had six months to patch the vulnerabilities.