iPhone Hacked in 20 Seconds, Stole Text / SMS Data


It is true indeed that an unsuspecting iPhone was lured to a website where without the knowledge of the user, all his text messages were stolen in flat 20 seconds.

Thankfully, it was for demonstration purpose in a Pwn2Own hacking contest where the developers and security researchers Vincenzo Iozzo and Ralf-Philipp Weinmann won the first prize for their creation. It was to show that iPhone might have been prone to viruses but still data theft can be done in other manners as well. The code for the program will now be shared with Apple (I see $$$) for further research.

Details from ZDNet

Using an exploit against a previously unknown vulnerability, the duo — Vincenzo Iozzo and Ralf Philipp Weinmann — lured the target iPhone to a rigged Web site and exfiltrated the SMS database in about 20 seconds.

The exploit crashed the iPhone’s browser session but Weinmann said that, with some additional effort, he could have a successful attack with the browser running.

“Basically, every page that the user visits on our [rigged] site will grab the SMS database and upload it to a server we control,” Weinmann explained. Iozzo, who had flight problems, was not on hand to enjoy the glory of being the first to hijack an iPhone at the Pwn2Own challenge.

Weinmann, a 32-year-old from the University of Luxembourg, collaborated with Iozzo (a 22-year-old Italian researcher from Zynamics) on the entire process — from finding the vulnerability to writing the exploit. The entire process took about two weeks, Weinmann said.

Although it might have been in a contest but if two researchers can do it and demonstrate it publicly, then there are hundreds and thousands of hackers who will do the same, without the knowledge of anyone. Therefore, out of our own ethical and moral value (no matter how much we criticize Apple or Mr. Jobs) one should always be careful while surfing the net on their phones and clicking on links like "iPad deal, $199 only, no contract".

Thanks: Engadget / ZDNet