AAPL Stock: 117.34 ( -0.96 )

Printed from

Miller wins Pwn2Own again with iPhone 4 exploit [U]

updated 06:50 pm EST, Fri March 11, 2011

Blackberry Torch 9800 said to be "far less secure"

[Update: Miller says Apple will issue a patch] Hacker Charlie Miller, who has repeatedly won the CanSecWest "Pwn2Own" security competition in Vancouver, seems to enjoy owning Apple products -- but mainly by winning them after demonstrating a security vulnerability. Miller, who has previously compromised an (original) MacBook Air and has since focused mostly on vulnerabilities in Webkit and Safari, used that technique again this year to compromise an iPhone 4, thus winning it. The exploit Miller used has been blocked in the release of iOS 4.3, but the vulnerability in Webkit still exists, he told ZDNet.

The exploit, which relies on return-oriented programming (ROP) to work, can be triggered simply by surfing to a specially-rigged website. On his first attempt, MobileSafari crashed -- but a second attempt allowed Miller access to the iPhone's full Contacts list, including copying the data from it.

With iOS 4.3, which was released the same day as the competition, the vulnerability is much harder to reach -- Apple has quietly added Address Space Layout Randomization (ASLR) to its existing Data Execution Protection (DEP), meaning the technique Miller used would have failed if the contest had been held a few days later. Contest rules stipulate that the iPhone 4 was fully patched (running 4.2.1) at the time.

After the demonstration, Miller posted to his Twitter account that the specifics of the vulnerability were shared with Apple, and that it will soon issue a patch (presumably v4.3.1) of iOS to close the exploit.

Miller, who typically spends weeks or months discovering vulnerabilities and then preparing his technique for public exhibition so that it all happens very quickly, teamed up with a colleague from his workplace, Independent Security Evaluators, to develop the winning exploit. Miller himself is considered one of the top minds in the field of data security, having spent five years at the National Security Agency (NSA) before joining ISE. He also holds a Ph.D. in mathematics from the University of Notre Dame.

He told ZDNet that Apple has greatly improved security on the iPhone over the years. Miller first hacked an iPhone in 2007 via the MobileSafari browser (at the time he could read the log of SMS messages, the address book, the call history and voicemail data). The original iPhone, he said, had no sandboxing and "everything ran as root," making exploits very easy.

Two years later, he partnered with Colin Mulliner to exploit a bug in the way the iPhone handled SMS messages. He admitted that if the iPhone he used in this year's competition had been patched to iOS 4.3 that day, his exploit would not have worked.

In addition to keeping the iPhone 4, Miller also won a $15,000 cash prize. Another team using a similar Webkit exploit easily cracked a Blackberry Torch 9800, obtaining even more information from it than Miller was able to get from the iPhone 4. Blackberries do not yet implement DEP or ASLR or even code signing, and the team behind the cracking described the Blackberry as "way behind the iPhone" in terms of security.[via ZDNet]

by MacNN Staff



  1. Foxypaco

    Joined: Dec 1969


    This guy

    is pretty badazz.

  1. normr

    Joined: Dec 1969


    Apple needs to hire this guy

    Apple needs to hire this guy or buy the company and lock up their devices so we can continue to enjoy the platform and not have the aggravation that most PC owners have to endure.

  1. testudo

    Joined: Dec 1969



    With iOS 4.3, which was released the same day as the competition, the vulnerability is much harder to reach

    Well, he may not have been able to win the iPhone, but that wouldn't have made the problem any less worse. It depends on how quickly the iPhone user base actually updates their phone's OS. Most people, I would guess, may never do it, or not do it for a month or two. h***, unless you actually go looking for it, you may not even know an update exists. Or not until the random time you plug your iPhone into your computer.

Login Here

Not a member of the MacNN forums? Register now for free.


Network Headlines

Follow us on Facebook


Most Popular


Recent Reviews

Ultimate Ears Megaboom Bluetooth Speaker

Ultimate Ears (now owned by Logitech) has found great success in the marketplace with its "Boom" series of Bluetooth speakers, a mod ...

Kinivo URBN Premium Bluetooth Headphones

We love music, and we're willing to bet that you do, too. If you're like us, you probably spend a good portion of your time wearing ...

Jamstik+ MIDI Controller

For a long time the MIDI world has been dominated by keyboard-inspired controllers. Times are changing however, and we are slowly star ...


Most Commented