iPhone 4S hacked using Safari exploit in Pwn2Own contest

Users of Apple’s iPhone and other iOS devices enjoy a fairly high level of security. In the past five years, the platform has only seen a handful of malware scares, and MIT says it recently crossed a “significant” threshold in security.

But all of that security couldn’t stop the iPhone 4S from getting hacked today at the Pwn2Own contest in Amsterdam. A group of Dutch security researchers gained remote access to the handset in seconds with a Safari exploit…

It took the team about three weeks to build the hack, from scratch. It uses a zero-day WebKit exploit, along with other scripts, to gain access to an iOS device without the owner’s permission or knowledge. That’s right, it’s stealth.

ZDNet reports:

“During the Pwn2Own attack, Pol created a web site that included an amusing animation of the Certified Secure logo taking a bite of the Apple logo. The drive-by download attack did not crash the browser so the user was oblivious to the data being uploaded to the attacker’s remote server. “If this is an attack in the wild, they could embed the exploit into an ad on a big advertising network and cause some major damage.”

The hack enabled the team to gain access to the address book, photo/video folder, and browsing history on the iPhone 4S. And even worse, the team says that the vulnerability hasn’t been fixed in iOS 6, so the iPhone 5 is also susceptible.

The group of researchers earned $30,000 for their exploit, which they immediately destroyed after the contest ended. They say it would be extremely dangerous if it fell into the wrong hands, and they’ve passed the data on to Apple.

Interestingly enough, last year’s iPhone Pwn2Own winner, Charlie Miller, was recently hired by Twitter to help beef up security.