Posted by: David Harley | March 25, 2010

And the Firewalls Came Tumbling Down…

…to use a little poetic licence…

I’m referring, of course, to the Pwn2Own hacking contest at CanSecWest 2010, and I might have referred to sacred cows instead, but Kevin Townsend has already done that in a blog post called Sacred cows fall at Pwn2Own, so I’ll stick with the firewalls of Jericho.

IE8 and Firefox on Windows 7 were compromised: for details, see Dan Goodin’s post for The Register. But as readers of this blog, you’re probably most curious about Charlie Miller’s Safari hack and an assault on the iPhone, using an exploit developed by Vincenzo Iozzo and Ralf-Philipp Weinmann with help from Halvar Flake.

Well, Miller’s hack used one of the 20 exploits with which he came armed to the conference, and on which he’s been fairly tightlipped so far: see previous blogs here and here. The iPhone hack used a technique called return-oriented programming to evade the iPhone’s code-signing mechanism and build a web page that enables the attacker to steal the iPhone’s SMS database in less than half a minute.

What do we conclude from this? Well, Kevin suggests, with some justification, that the “impregnability of the iPhone has gone.” Though I’d say that realistically, that anyone who really ever thought that the iPhone was impregnable simply didn’t understand the significance of the first jailbreaks. Not that this particular exploit involved jailbreaking, or else it would have been rather less significant. Halvar Flake tells us that “This exploit doesn’t get out of the iPhone sandbox….Apple has pretty good counter-measures but they are clearly not enough.  They way they implement code-signing is too lenient.”

Actually, I don’t think that’s the point. It might be a Good Thing to tighten up on iPhone code-signing, but it’s no more The Answer than are DEP (Data Execution Protection) or ASLR (Address Space Layout Randomization), both of which were bypassed on Windows in the same contest.

Don’t mistake mitigation for impregnability: a sound countermeasure may offer 100% protection in a context that holds little interest for attackers, but when the $ signs start to flash, whether it’s a hacking contest or the monetization of criminal activity, good technology is likely, sooner or later, to go the way of the Maginot line.

Or as General George Patton apparently put it:

“Fixed fortifications are monuments to man’s stupidity.”

Mac Virus
Small Blue-Green World
AVIEN Chief Operations Officer
ESET Research Fellow & Director of Malware Intelligence

Also blogging at:


  1. […] […]

  2. […] […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.


%d bloggers like this: