Apple’s (NASDAQ: AAPL) iPhone 5, hitting the stores today, is vulnerable to the same attack that successfully breached an iPhone 4S at the mobile Pwn2Own hacker contest held this week at the EUSecWest event in Amsterdam.
Two Dutch security researchers, Joost Pol and Daan Keuper, successfully compromised an iPhone 4S device by exploiting a vulnerability in WebKit to beat Apple’s code-signing feature and MobileSafari sandbox.
Once they breached the iPhone 4S, the researchers were able to steal contact information, browsing history, as well as photos and videos, but were not able to steal text messages and emails because they were encrypted.
The researchers told ZDNet that they exploited a zero-day vulnerability to bypass the code signing requirements and sandbox. “We specifically chose this one because it was present in iOS 6, which means the new iPhone coming out today will be vulnerable to this attack,” Pol said.
Hackers could embed the exploit into an advertisement on an ad network and “cause some major damage,” Pol said.
What does this mean for people who are running out today to buy the iPhone 5? Well, according to Pol, the iPhone is still the most secure smartphone on the market. “It took us three weeks, working from scratch, and the iPhone is the most advanced device in terms of security,” he said.
Enterprise users of the iPhone 5, or any other smartphone, should be especially careful about storing and sending sensitive information from their device. Also, make sure any sensitive information is encrypted because the researchers were not able to access the encrypted data on the iPhone that they breached.
Remember that no matter how much security is loaded into a mobile device, someone at some point is going to find a way around it.