Security Researchers Use Wi-Fi and Safari Exploits to Breach iPhone 7 at Annual Mobile Pwn2Own Contest

[69Mustang]

There had, indeed, to be an issue on Google's end, because, for the umpteenth time, Google issued a patch.

You keep saying this as if there's some sort of corollary to Samsung's exploit and Google issuing a patch. This makes no literal or figurative sense. You have no idea what bugs lead to Samsung's exploit. That is a fact. You're assuming it was a bug in Chromium, but you're making that assumption with no evidence.

The only reason I conflated Samsung and Google is that Google was not separately tested. Instead, various Android-based devices were, among them one from Samsung. Given that, as you acknowledge, Samsung's browser is based on code by Google, and that Google issued a patch, I posited the possibility (if not strong likelihood) that this Samsung flaw is in fact, in part, on Google's end.

I mean, either that, or was being "plain dishonest". ¯\_(ツ)_/¯

I don't know bud - using your Samsung/Google logic - plain dishonesty looks likely.
I say that because the blog clearly states:
Browsers
In this category, contestants will target Google Chrome, Apple Safari, or the Samsung Internet Browser – and yes, Samsung’s web browser is just called Internet Browser. As an aside, that is a dreadfully stupid name for their browser.

So yeah, separately tested. I got that information from the Zero Day site. The same site you got your original quote from. Using chucker logic, since the info was on the same site, you purposely ignored that info and wen't with your plainly dishonest narrative. Of course I'm being silly, but no sillier than your assertion that Google HAD to be the bug in Samsung's browser code.

 

[MRrainer]

Frightening. And that's a public researcher. If ATP10 (one of their alleged Advanced Persistent Threat groups) wants to 0wn you, you're as good as dead.

I guess they could just 0wn and shut down most of the world during you average lunch-break.
But then, nobody would be able to buy their cheap stuff and then all hell would break loose there, too.

 

[Glideslope]

Each release becomes easier to breach as it bloats in size with hundreds of features 90% of users will never swipe. Might as well call it iOdows.

 

[jimi78]

All this while I'm trying to turn off passcode and fingerprint unlock features on my phone as they are tiresome to me. I appreciate all of the security features and respect for privacy. But in reality, by not using Apple Pay or digital payments I have nothing to hide on my phone. Which is also why a $1,000 iPhone with a camera to take selfies has no appeal to me.

Touch ID is 'tiresome" to you??!! it literally is the same gesture as opening an iPhone w/o a passcode set.

 

[deanthedev]

I don't know bud - using your Samsung/Google logic - plain dishonesty looks likely.

Dishonesty? Possibly. Do you remember the very first quote that started this whole thing?

Good job Google for being unbreachable.

Now THAT’S what I call a dishonest post. Implying Google is “unbreachable”. Actually, no, not implying. Stating outright.

 

[MRrainer]

Uh, no it's not the equivalent. A person looking through my phone for digital assets such as a picture or a contact versus letting a person in my house for physical assets across a much broader spectrum are entirely different. Wi-Fi standards, digital currency, etc. I get it. But aside from your credit card info please tell me what your common everyday thief is going to steel from your phone that is of value? Your text messages, your music, take a selfie and post it to Facebook?

It really depends on what is on the phone and who finds/steals it.

Pictures can be used to create fake identities, for example.

I've seen fake adverts for non-existing rental flats that, first thing, ask you to send a copy of your passport (even before they ask you for money for a deposit).
This is in turn used for other frauds etc.

 

[iapplelove]

What an irrelavant and pointless comment.

On a more relevant note. This exploit has been fixed in the new update.

Which new update? They said it was running 11.1. Do you mean the beta 11.2?

 

[chucker23n1]

Great... so if I updated from iOS 10 to 11.1 it would benefit me zero. I'll stay on 10 then.

There are plenty of other security issues fixed between 10.3.3 and 11.1, and staying on an older version is increasingly irresponsible.

You keep saying this as if there's some sort of corollary to Samsung's exploit and Google issuing a patch.

It isn't.

This makes no literal or figurative sense. You have no idea what bugs lead to Samsung's exploit. That is a fact. You're assuming it was a bug in Chromium, but you're making that assumption with no evidence.

OK, great, let's say it isn't Samsung. Is it NFC? Is it Huawei's baseband?

And does it really even matter? After all, the original assertion was this: "Good job Google for being unbreachable.", and as far as I can tell, that's a misleading conclusion.

I don't know bud - using your Samsung/Google logic - plain dishonesty looks likely.
I say that because the blog clearly states:
Browsers
In this category, contestants will target Google Chrome, Apple Safari, or the Samsung Internet Browser – and yes, Samsung’s web browser is just called Internet Browser. As an aside, that is a dreadfully stupid name for their browser.

Is it? You mean like Mail for your e-mail client? Calendar for, y'know, your calendar? Or how about Music and Photos, for… you get the idea. I don't know what your rant against generic names for software has to do with anything, but virtually everyone does it. What's Google's photo platform called? Used to be Picasa, but now it's… Photos.

Either way, I don't know what you're arguing. Like, at all.

So yeah, separately tested. I got that information from the Zero Day site. The same site you got your original quote from. Using chucker logic, since the info was on the same site, you purposely ignored that info and wen't with your plainly dishonest narrative. Of course I'm being silly, but no sillier than your assertion that Google HAD to be the bug in Samsung's browser code.

That wasn't my assertion. In fact, as I've said several times, that's just a possibility.

 

[69Mustang]

Dishonesty? Possibly. Do you remember the very first quote that started this whole thing?



Now THAT’S what I call a dishonest post. Implying Google is “unbreachable”. Actually, no, not implying. Stating outright.

But that post doesn't use Samsung/Google logic. It also has nothing to do with Chucky's assertions.

 

[calzon65]

Apple is a magician ... attention folks, in my left hand I have some beautiful emojis ... in my right hand we have the Apple bug & exploit repair team ... ignore my right hand, just look at my left hand with our really cool emojis.

 

[Marshall73]

They have hands on with unlocked devices. Would be massive news if it was a hands off attack on a locked device.

 

[deanthedev]

But that post doesn't use Samsung/Google logic. It also has nothing to do with Chucky's assertions.

Still a very dishonest post. Or do you disagree?

 

[840quadra]

I love these competitions, and appreciate Apple and other manufacturers taking part, and sometimes sponsoring them. Curious as to what got them in with Samsung, but not the Pixel. Looking forward to reading into the article further.

 

[69Mustang]

Still a very dishonest post. Or do you disagree?

I have no opinion on that post. If I did, I prolly would have posted one.

 

[peterlobl]

All this while I'm trying to turn off passcode and fingerprint unlock features on my phone as they are tiresome to me. I appreciate all of the security features and respect for privacy. But in reality, by not using Apple Pay or digital payments I have nothing to hide on my phone. Which is also why a $1,000 iPhone with a camera to take selfies has no appeal to me.

which non-tiresome computing devices do you prefer?

 

[69Mustang]

I love these competitions, and appreciate Apple and other manufacturers taking part, and sometimes sponsoring them. Curious as to what got them in with Samsung, but not the Pixel. Looking forward to reading into the article further.

The S8 uses the Samsung Internet Browser. The Pixel uses Google's Chrome Browser. They are not the same thing.

 

[840quadra]

The S8 uses the Samsung Internet Browser. The Pixel uses Google's Chrome Browser. They are not the same thing.

I am aware of that.. now.

Hand't read the linked article at the time I posted it, as I said, I was looking forward to reading more.

You can also install and use Chrome on a Samsung phone, so I was curious which browser was exploited.

 

[Ntombi]

But aside from your credit card info please tell me what your common everyday thief is going to steel from your phone that is of value? Your text messages, your music, take a selfie and post it to Facebook?

All of my and my family’s personal information, including social security numbers, passport and license info, bank account numbers and PINs, investment and insurance info, all of the passwords to online and offline accounts, streaming devices, and more.

That doesn’t include personal messages and photos that aren’t crucial, but are important to me and my family.

And I’m not alone.

 

[Tech198]

I wouldn't mind that much money for cracking ioS 11.01 Wi-fi connection.

No wonder why they do it.

 

[69Mustang]

I am aware of that.. now.

Hand't read the linked article at the time I posted it, as I said, I was looking forward to reading more.

You can also install and use Chrome on a Samsung phone, so I was curious which browser was exploited.

Yup. Chrome is the default browser on my S7, my wife's S8, and it's the browser of choice on both my daughter's iPhones (6 & 6S). They're getting iPhone 7 for XMas. Chrome's gonna be there too. Chrome travels so well across ecosystems.

Samsung has/had an alternative to every single primary Google app. It used to bother me some but you pretty quickly realize that none of it is required and some of it's actually good. That browser is actually okay. It's plenty quick. It's just tied to Samsung and doesn't travel like Chrome.

 

[the johnmc]

What are “master of pwn points”? Are they like Chucky cheese tokens and once you get enough you can redeem them for prizes?

In a way, yes. It's explained in the article. Also, It's Chuck E. Cheese. The E stands for Entertainment. Entertainment is literally his middle name (Charles Entertainment Cheese).

 

[840quadra]

Yup. Chrome is the default browser on my S7, my wife's S8, and it's the browser of choice on both my daughter's iPhones (6 & 6S). They're getting iPhone 7 for XMas. Chrome's gonna be there too. Chrome travels so well across ecosystems.

Samsung has/had an alternative to every single primary Google app. It used to bother me some but you pretty quickly realize that none of it is required and some of it's actually good. That browser is actually okay. It's plenty quick. It's just tied to Samsung and doesn't travel like Chrome.

Yeah portability, and Google's patches are a nice touch. I use Chrome on my iPhone and Pixel 2, so I can retain bookmarks and such.

Oddly though, I use DuckDuck go for my searches. I can't put all of my eggs in Google's basket can I

 

[Primejimbo]

Great... so if I updated from iOS 10 to 11.1 it would benefit me zero. I'll stay on 10 then.

Yup, updating the have KRACK patched is a zero benifit.

 

[Alenore]

Now THAT’S what I call a dishonest post. Implying Google is “unbreachable”. Actually, no, not implying. Stating outright.

Except that so far in the contest, Google IS unbreachable. The only hack that got through on Android was through the Samsung Internet browser. None through Wi-Fi or baseband.

But then, I suppose it's not really as challenging go hack into Android than into iOS. Y'know, the thrill of proving Apple wrong ok their claim about security etc

https://www.zerodayinitiative.com/blog/2017/10/31/welcome-to-mobile-pwn2own-2017-day-one

It's also worth mentioning that the only browser that *didn't* get hacked on the " desktop" pwn2own contest in March was Chrome.
5 vulnerabilities in edge, 4 in safari, 1 in Firefox, none in Chrome

 

[katbel]

It's also worth mentioning that the only browser that *didn't* get hacked on the " desktop" pwn2own contest in March was Chrome.
5 vulnerabilities in edge, 4 in safari, 1 in Firefox, none in Chrome

Yeah..Chrome is already getting all the infos about you and what you are doing by itself