I realize this is a week late, but I’ve been catching up on podcasts this weekend and I listened to this one while running today. The New York Times Tech Talk podcast for 1 April 2010 includes an interview (at 19:30) with Ralf Philipp Weinmann from the University of Luxembourg who, with Vincenzo Iozzo of Zynamics, pwned an Apple iPhone in 20 seconds. Weinmann explains that the exploit wouldn’t necessarily require social networking even though the iPhone at CanSecWest was given a URL to a site containing their exploit. Once the device was pwned, all account information was available as it’s stored in one file — all text messages, e-mails, contacts, photos, etc.
Weinmann couldn’t provide much detail due to Tipping Point’s non-disclosure requirement for pwn2own. Charlie Miller, who’s won pwn2own before targeting Macs, predicted iPhone would fall quickly. Miller confirmed something Weinmann said in the podcast, namely that putting together the payload is the difficult part. Miller explained why it’s more difficult to pwn an iPhone than OSX/Safari/etc.,
In real life iPhone is harder because you can’t just exec a shell (since there is no /bin/sh). You have to write your return oriented payload to do all your dirty work, which can be a pain. In Pwn2Own, you just have to prove you have code running, not actually do something useful, so the bar is lower. The only thing iPhone has going for it, which coincidentally is stopping me from attacking it this year, is a smaller attack surface. There isn’t as much exposed code on the iPhone. Safari for Mac OS X can do anything, render any file, etc. Not so on iPhone. There are some file types MobileSafari can’t display, some they display incompletely, and of course, iPhone lacks Java and Flash which comes by default on Safari. The easy to exploit bugs I know about happen to live in the code that Safari (on OS X) has but MobileSafari doesn’t, so no go for me.
Weinmann said finding bugs was easy but the exploit took a couple weeks to write due to crafting together a payload. By the way, Miller again — third consecutive year — pwned OSX via another Safari-related exploit.