Researchers hack iPhone, steal data
White-hat hackers broke into the developer version of iOS 6, meaning Apple's new iPhone 5 could be vulnerable
By Antone Gonsalves
September 21, 2012 — CSO — Researchers have broken into an iPhone 4S running the latest version of Apple iOS, making it possible to exploit the same vulnerability in the iPhone 5 that is set for release on Friday.
The white-hat hackers Joost Pol and Daan Keuper showed how they were able to steal contacts, browsing history, photos and videos to win $30,000 in the mobile Pwn2Own contest Wednesday at EUSecWest in Amsterdam, IT World reports.
Because the hacked iPhone was running a developer version of iOS 6, it's likely the same vulnerability could be used to break into an iPhone 5 or the latest iPad and iPod Touch devices.
The WebKit browser exploit took only a few weeks to make, the researchers told IT World. Using the malicious code in a website would enable a cybercriminal to bypass the security mechanisms in Safari to gain access to the phone's data.
WebKit is a layout engine used by browsers to render Web pages. The open source technology is used in the Safari Web browser in iOS and in Google's Chrome, which recently became the default browser for Android.
[See also: 5 policy questions for mobile device security]
The Dutch researchers are not the first penetrate the iPhone's defenses through WebKit, said Chenxi Wang, an analyst for Forrester Research. Hackers typically target WebKit because Apple does not use a number of standard security practices in using the engine.
Apple has not said why, but it could be related to phone performance and battery life. In addition, Apple doesn't vet code executed on the browser, like it does apps before allowing them to be offered to iPhone users.
"This opens doors to remote exploitation," Wang said. "But to [Apple's] credit, we haven't seen a lot of that going on, which is actually quite impressive."
Wang does not believe the risk of the latest vulnerability is very high. That's because a cybercriminal would have to find a way to get iPhone users to a compromised site. A hacker could inject malicious code into a popular Web site, but this would also be difficult.
"It's certainly possible and certainly is a threat, but I don't see it becoming a massively popular way of attacking iPhone users," he said.
The Dutch researchers held back some of the details of their work, in order to prevent giving cybercriminals a hacking roadmap to the iPhone.
"Apple will have to come up with an update and then people need to upgrade as fast as possible," Pol told IT World.