Skip to main content

Dutch researchers use WebKit bug to hack iPhone 4S

A pair of Dutch security researchers took advantage of a bug in WebKit to compromise an iPhone 4S at the latest Pwn2Own competition.

Joost Pol and Daan Keuper, of Certified Secure, exploited a WebKit vulnerability to launch a drive-by download to hijack the address book, photos, videos, and browsing history from a fully patched iPhone 4S, ZDNet reported. The pair demonstrated their attack at the Mobile Pwn2Own competition in Amsterdam, the Netherlands.

The attack netted the researchers $30,000 (£18,000) cash and other prizes, such as a BlackBerry Playbook tablet from sponsor Research in Motion. The Mobile Pwn2Own competition is from 19 - 20 September at EUSecWest. Researchers armed with potential exploits attempt to be the first to compromise the target system. The competition is similar to CanSecWest's Pwn2Own in March. While Pwn2Own focuses on Web browsers, Mobile Pwn2Own contestants target fully patched BlackBerry, iPhone and Android devices.

"We really wanted to show that it is possible, limited time, with limited resources, to exploit the hardest target [iPhone]," Pol said in a ZDnet interview.

The attack works on iOS 5.1.1 and the developer release of iOS 6, as well as on the iPad, iPhone 4, and previous versions of the iPod Touch, Pol said.

Embedded Code on Webpages

The attack relies on directing users to visit a malicious webpage which contains code that can circumvent security mechanisms in the Safari Web browser. The page is able to rifle through the user's pictures, contacts information, and browsing history, and then transmit all that information to a remote server, all without the user's knowledge.

The zero-day in WebKit bypasses Apple's strict code signing requirements and the Mobile Safari sandbox. Pol and Keuper used code auditing techniques to find the bug, and then chained multiple methods, such as triggering a use-after-free scenario and a memory overwrite, to create the exploit.

"We specifically chose this one because it was present in iOS 6 which means the new iPhone coming out today will be vulnerable to this attack," Pol said.

What makes the exploit even more sinister is the user doesn't need to click on anything for this attack to succeed. The code can be embedded anywhere on the page, such as in advertisements. This means any iPhone user surfing the Web and coming across a page displaying a malicious ad, or somehow compromised to run the attack code could be impacted.

"The CEO of a company should never be doing e-mail or anything of value on an iPhone or a BlackBerry. It's simple as that. There are a lot of people taking photos on their phones that they shouldn't be taking," Pol told ZDNet.

Improving Mobile Security

The pair handed over the exploit and details of the vulnerability over to the Zero Day Initiative (ZDI) of HP TippingPoint DVLabs, the organisers behind the competition. ZDI will handle providing Apple with the exploit information.

The contest is intended to provide a "safe environment" for researchers to collaborate on mobile vulnerabilities, Adrian Stone, director of security response at BlackBerry, told SecurityWatch during the BlackHat security conference in July. The details of the research are shared only with affected vendors, so customers are not at risk while the disclosed vulnerabilities are fixed, Stone said.

This kind of collaboration is also necessary to identify flaws that may exist across multiple platforms, Stone said. A vulnerability in one platform means it can also exist in another. WebKit is a very good example of this, since many platforms use the open source engine to power mobile browsers. Even though the Dutch team exploited the WebKit vulnerability on the iPhone, it is very possible that the same flaw can be found in BlackBerry devices, for example. Mobile security needs to focus on "protecting the ecosystem," Stone said.