Researchers have broken into an iPhone 4S running the latest version of Apple iOS, making it possible to exploit the same vulnerability in the iPhone 5 that is set for release on Friday.
The white-hat hackers Joost Pol and Daan Keuper showed how they were able to steal contacts, browsing history, photos and videos to win $30,000 in the mobile Pwn2Own contest Wednesday at EUSecWest in Amsterdam, IT World reports.
Because the hacked iPhone was running a developer version of iOS 6, it's likely the same vulnerability could be used to break into an iPhone 5 or the latest iPad and iPod Touch devices.
The WebKit browser exploit took only a few weeks to make, the researchers told IT World. Using the malicious code in a website would enable a cybercriminal to bypass the security mechanisms in Safari to gain access to the phone's data.
WebKit is a layout engine used by browsers to render Web pages. The open source technology is used in the Safari Web browser in iOS and in Google's Chrome, which recently became the default browser for Android.
[See also: 5 policy questions for mobile device security]
The Dutch researchers are not the first penetrate the iPhone's defenses through WebKit, said Chenxi Wang, an analyst for Forrester Research. Hackers typically target WebKit because Apple does not use a number of standard security practices in using the engine.
Apple has not said why, but it could be related to phone performance and battery life. In addition, Apple doesn't vet code executed on the browser, like it does apps before allowing them to be offered to iPhone users.
"This opens doors to remote exploitation," Wang said. "But to [Apple's] credit, we haven't seen a lot of that going on, which is actually quite impressive."
Wang does not believe the risk of the latest vulnerability is very high. That's because a cybercriminal would have to find a way to get iPhone users to a compromised site. A hacker could inject malicious code into a popular Web site, but this would also be difficult.
"It's certainly possible and certainly is a threat, but I don't see it becoming a massively popular way of attacking iPhone users," he said.
The Dutch researchers held back some of the details of their work, in order to prevent giving cybercriminals a hacking roadmap to the iPhone.
"Apple will have to come up with an update and then people need to upgrade as fast as possible," Pol told IT World.
Speed in plugging the hole is key to reducing risk, said Peter Bybee, president and chief executive of cloud security provider Security On-Demand.
"Whether you're likely to be attacked depends on how long the gap will be between when Apple fixes the problem and attackers repeat the researcher's success," Bybee said. "Just because the exploit is shared only with the vendor doesn't mean that it won't get out into the open market. There was enough detail in how they found the exploit and used it that it could be replicated by an experienced malware creator."
Other participants in the hacker contest demonstrated breaking into the Samsung Galaxy S3 via its near field communication (NFC) technology. The researchers from security company MWR Labs were able to beam an exploit from one Galaxy S3 to another.
Once the malicious app is installed in the receiving phone, a hacker would have full access to the phone's data, Tyrone Erasmus, a security researcher at MWR told IT World. The app runs in the background, making it invisible to the phone's user.
The exploit targets a vulnerability in the document viewer application that comes as a default app in the Galaxy S2, S3 and some HTC phones. The flaw enables a hacker to steal text messages, emails, contact information and other data.
The researchers said the vulnerability, which also exists in the Galaxy S2, could be exploited by malware sent via email, the MWR team said. The researchers also won $30,000 for the hack.
Zero Data Initiative by Hewlett-Packard's DVLabs organized the competition. DVLabs will send details of the hacks to Apple and Samsung, respectively.
Read more about wireless/mobile security in CSOonline's Wireless/Mobile Security section.