iOS, Samsung Galaxy S4 conquered in Mobile Pwn2Own 2013

Summary:At PacSec Tokyo 2013, hacking teams from Japan and China compromised iPhone 5 running iOS 6 and iOS 7 and a Samsung Galaxy S4.

The Mobile Pwn2Own 2013 hacking contest began today at PacSec Tokyo 2013. The first day of competition brought iOS and the Samsung Galaxy S4 down. The contest is run by the HP Zero Day Initiative (ZDI).

[Correction: An earlier version of this story stated that Android was compromised. HP says that the exploit was of Samsung apps, not of Android.]

Brian Gorenc, Manager, Zero Day Initiative, HP Security Research, emphasized that point of the contest is to bring vulnerability research in the far east into legitimate circles and out of the black market. Pwn2Own winners can receive tens of thousands of dollars, and they get to keep the device they hack. Two teams have competed so far. The contest is not yet over and there may be further results by tomorrow.

Prepping.devices.for.Mobile.Pwn2Own.2013
Prepping devices for Mobile Pwn2Own 2013

 

The first team was the Keen Team from Keen Cloud Tech in China. Keen demonstrated two iOS exploits, on iOS 6.1.4 and 7.0.3. On iOS 6.1.4, by getting the user to visit a web site, the attackers were able to steal the cookie database from the browser. From this they retrieved the user's Facebook credentials and logged in using them on a different computer. The iOS 7.0.3 exploit relied on a flaw in the permissions model. Once the user visited a page, the attackers were able to steal a photo from the phone.

Neither phone was jailbroken. But Keen was not able to break out of the sandbox, so their award was limited to $27,500.

The second team was Team MBSD, of Mitsui Bussan Secure Directions, Inc. in Japan. Team MBSD demonstrated several exploits against default applications on the Samsung Galaxy S4. The exploit utilized a chain of vulnerabilities.

By getting the user to view a web site, their attack was able to install system-level malware silently. They were able to compromise multiple apps in this way. The malware was then able to steal SMS logs, contact list, bookmarks and more.

This is a particularly dangerous bug, and Team MBSD was awarded $40,000 for it.

The vulnerabilities have been disclosed to Apple, Google and Samsung. Until the vulnerabilities are addressed, ZDI is not disclosing the details of them publicly.

In the video below, the Keen Team Discusses their exploit of Safari on iOS.

Topics: Security, Android, iOS, Mobile OS

About

Larry Seltzer has long been a recognized expert in technology, with a focus on mobile technology and security in recent years. He was most recently Editorial Director of BYTE, Dark Reading and Network Computing at UBM Tech. Prior to that he spent over a decade consulting and writing on technology subjects, primarily in the area of sec... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.