On Wednesday, Apple’s iOS mobile operating system was hacked by two hackers in the Pwn2Own contest at Amsterdam. The iOS system were very safe and secured from the hackers, but finally it was hacked by two Dutch security researchers, Joost Pol and Daan Keuper, finding vulnerability in the WebKit. With this they were able to access photos, videos, address book contacts, and browsing history in the phone in an unauthorized way.
The hackers exploited iPone 4S iOS after working for three weeks on this exploitation and further confirmed the hack still works with iOS 6 which was released today. They added that it also works on iPads. But they said that the exploit doesn’t allow them to view SMS messages or emails. Joost Pol and Daan Keuper earned a $30,000 cash-prize and others for this.
In the Pwn2Own competition the two hackers had also demonstrated the exploit to an audience at the EUSecWest security in Amsterdam.
When a user visits a website where the code is running, the security mechanisms in Safari are circumvented, Joost Pol explained. “We could embed the code in advertisements on news sites for example,” said Joost Pol, and further adding that if they can embed the code anywhere on a website, it will work.
“We don’t want anyone to run off with it,” said Keuper. The expose of the exact working of the exploit might be difficult for the researchers.
Apple and its users are lucky that this hack did not fall in the wrong hands. “Apple will have to come up with an update and then people need to upgrade as fast as possible,” said Pol, who still thinks the iPhone is the most secure phone out there.
“Any browser exploit is significant,” said Brian Gorenc, manager of the Zero Day Initiative (ZDI) of HP DVLabs, which organized the competition. He doesn’t think that Apple is to blame. However, he further stressed that this is a hole that should be fixed. “The guys did a great job,” he said, adding that the exploit will be sent to Apple.