Vincenzo Iozzo
Latest
iPhone SMS database hacked in 20 seconds, news at 11
It's a story tailor-made for the fear-mongering subset of news media. This week, a pair of gentlemen lured an unsuspecting virgin iPhone to a malicious website and -- with no other input from the user -- stole the phone's entire database of sent, received and even deleted text messages in under 20 seconds, boasting that they could easily lift personal contacts, emails and your naughty, naughty photos as well. Thankfully for us level-headed souls, those gentlemen were Vincenzo Iozzo and Ralf-Philipp Weinmann, security researchers performing for the 2010 Pwn2Own hacking contest, and their $15,000 first prize ensures that the winning formula will go to Apple (and only Apple) for further study. Last year, smartphones emerged from Pwn2Own unscathed even as their desktop counterparts took a beating, but this makes the third year in a row that Safari's gotten its host machines pwned. That said, there's no need for fear -- just a healthy reminder that the Apple logo doesn't give you free license to click links in those oh-so-tempting "beta-test the new iPad!" emails.
iPhone hacked at Pwn2Own contest
An iPhone got hacked in just 20 seconds at this week's Pwn2Own hacking contest at CanSecWest 2010, reports Ryan Naraine for ZDnet. Hackers Vincenzo Iozzo and Ralf Philipp Weinmann demoed an exploit that allowed them to send a target iPhone to a web site that they'd set up online, and then copied off the entire SMS database on the iPhone (including deleted text messages) to their own server. The browser crashed during the hijack, but the hackers say that with a little tweaking, it would even be possible to nab the information without the user ever knowing that an attack had occurred. Halvar Flake also assisted with the hack, and he said that while Apple does have some protection in place for running malicious code on the iPhone, but it's not enough: "The way they implement code-signing is too lenient." You can see more technical information about the hack over on his blog. The hackers aren't sharing exactly how they did the exploit -- as specified by the contest rules, knowledge of the hack is becoming property of the contest's sponsor, the Tipping Point Zero Day Initiative, who will pass on a report to Apple and only release details once the hole has been fixed. Safari and Internet Explorer 8 both got owned at the same conference, though details about those hacks are both forthcoming -- Tipping Point was offering up US$100,000 in prizes for exploits on these various programs, and it looks like the prize money has been well-earned.
