“Cybercriminals and hackers will always be one step ahead of developers.”
This is the mantra you tend to hear regularly spouted by top security experts. The idea, of course, is that as soon as new security technology becomes available, someone will immediately break it, leaving developers and security gurus in a frustrating reactionary state.
And this concept couldn’t have been better demonstrated than it was this past week when some Dutch researchers developed a hack for the iPhone 5… days before its release.
The researchers developed the hack using a developer model of iOS 6 to test their methods, which means the same vulnerability is present on the official iPhone 5 release.
"It took about three weeks, starting from scratch, and we were only working on our private time," says Joost Pol (photo left), CEO of Certified Secure, a nine-person research outfit based in The Hague. Pol and his colleague Daan Keuper used code auditing techniques to ferret out the WebKit bug and then spent most of the three weeks chaining multiple clever techniques to get a "clean, working exploit." [ZDNet]
The hack earned the team a $30,000 cash prize at the Pwn2Own contest.
But despite the early security breach, the developers contend that the new iPhone is not only a very secure device, but the safest mobile device available in today’s market. Unfortunately, that’s not saying much when it took only three weeks to hack it.
"We really wanted to show that it is possible, limited time, with limited resources, to exploit the hardest target. That's the big message. No one should be doing anything of value on their mobile phone," Pol said. “It's important for people to understand, especially businesses, that mobile devices should never be used for important work."
We couldn’t agree more.