…to use a little poetic licence…
I’m referring, of course, to the Pwn2Own hacking contest at CanSecWest 2010, and I might have referred to sacred cows instead, but Kevin Townsend has already done that in a blog post called Sacred cows fall at Pwn2Own, so I’ll stick with the firewalls of Jericho.
IE8 and Firefox on Windows 7 were compromised: for details, see Dan Goodin’s post for The Register. But as readers of this blog, you’re probably most curious about Charlie Miller’s Safari hack and an assault on the iPhone, using an exploit developed by Vincenzo Iozzo and Ralf-Philipp Weinmann with help from Halvar Flake.
Well, Miller’s hack used one of the 20 exploits with which he came armed to the conference, and on which he’s been fairly tightlipped so far: see previous blogs here and here. The iPhone hack used a technique called return-oriented programming to evade the iPhone’s code-signing mechanism and build a web page that enables the attacker to steal the iPhone’s SMS database in less than half a minute.
What do we conclude from this? Well, Kevin suggests, with some justification, that the “impregnability of the iPhone has gone.” Though I’d say that realistically, that anyone who really ever thought that the iPhone was impregnable simply didn’t understand the significance of the first jailbreaks. Not that this particular exploit involved jailbreaking, or else it would have been rather less significant. Halvar Flake tells us that “This exploit doesn’t get out of the iPhone sandbox….Apple has pretty good counter-measures but they are clearly not enough. They way they implement code-signing is too lenient.”
Actually, I don’t think that’s the point. It might be a Good Thing to tighten up on iPhone code-signing, but it’s no more The Answer than are DEP (Data Execution Protection) or ASLR (Address Space Layout Randomization), both of which were bypassed on Windows in the same contest.
Don’t mistake mitigation for impregnability: a sound countermeasure may offer 100% protection in a context that holds little interest for attackers, but when the $ signs start to flash, whether it’s a hacking contest or the monetization of criminal activity, good technology is likely, sooner or later, to go the way of the Maginot line.
Or as General George Patton apparently put it:
“Fixed fortifications are monuments to man’s stupidity.”
David Harley FBCS CITP CISSP
Small Blue-Green World
AVIEN Chief Operations Officer
ESET Research Fellow & Director of Malware Intelligence