VANCOUVER - In the hands of hackers, 4 Apple iPhone and BlackBerry Torch made by Research In Motion (RIM) appeared to still be uprooted security system. The hackers who participated in the contest Pwn2Own in Vancouver, Canada, 9-11 March 2011, it managed to conquer these two smartphones.
Three researchers with the name Team Anon successfully penetrate the security system via BlackBerry Torch found many weaknesses in the browser rendering engine Webkit or luggage. They managed to smuggle the program proved to them by exploiting a number of weaknesses were to steal contact lists and databases of images.
Despite many shortcomings, not easily penetrate the BlackBerry. This is because there is no documentation for the public about the operating system. Therefore, hackers have to do trial and error techniques to try to penetrate.
Webkit is one part of a potential easy target. BlackBerry Torch is the first BlackBerry device that uses WebKit in its browser. However, the browser still has not completed the address space layout randomization (ASLR) and Data execution prevention (DEP). According Iozzo, though it is still spelled out than the iPhone from the security side, the closure of the BlackBerry became a separate obstacle.
"It would be difficult to attack the system if you do not have any documentation and information," said Iozzo.
As for attacking the iPhone 4, hackers also exploit weaknesses in the mobile version of Safari browser. Charlie Miller, a security researchers from Independent Security Evaluators Blazakis Dion and his colleagues, managed to smuggle a program to steal contacts list. It uses the technique of return-oriented programming (ROP) with DEP bypass.
Target of the attack was the iPhone 4 that use the IOS operating system 4.2. In the latest IOS version 4.3, the vulnerability is still not fixed. However, additional ASLR may be able to resist the techniques used to attack.
"However, only need slight modifications to penetrate the security layer and the devices are still vulnerable from attack until MobileSafari patched," said Miller.
The three researchers, namely Vincenzo Iozzo, Willem Pinckaers, and Ralf Phillip Weinmann, is entitled to steal U.S. $ 15,000 prize and devices that conquered it. The same thing for the team led by Miller.
Until the contest ended, the two other systems, Android 2.3 running on the Samsung Nexus S and Windows Phone Pro 7 on Dell Venue yet to be penetrated. However, this is not because the level of security managed to survive, but because no participants menjajalnya.
For the contest to break the browser, Chrome is only 9 and Firefox 3.6 that survive from the attack. Safari and Internet Explorer 8 successfully conquered hackers from day one.
No comments:
Post a Comment