iOS, Samsung Galaxy S4 conquered in Mobile Pwn2Own 2013

iOS, Samsung Galaxy S4 conquered in Mobile Pwn2Own 2013

Summary: At PacSec Tokyo 2013, hacking teams from Japan and China compromised iPhone 5 running iOS 6 and iOS 7 and a Samsung Galaxy S4.


The Mobile Pwn2Own 2013 hacking contest began today at PacSec Tokyo 2013. The first day of competition brought iOS and the Samsung Galaxy S4 down. The contest is run by the HP Zero Day Initiative (ZDI).

[Correction: An earlier version of this story stated that Android was compromised. HP says that the exploit was of Samsung apps, not of Android.]

Brian Gorenc, Manager, Zero Day Initiative, HP Security Research, emphasized that point of the contest is to bring vulnerability research in the far east into legitimate circles and out of the black market. Pwn2Own winners can receive tens of thousands of dollars, and they get to keep the device they hack. Two teams have competed so far. The contest is not yet over and there may be further results by tomorrow.

Prepping devices for Mobile Pwn2Own 2013


The first team was the Keen Team from Keen Cloud Tech in China. Keen demonstrated two iOS exploits, on iOS 6.1.4 and 7.0.3. On iOS 6.1.4, by getting the user to visit a web site, the attackers were able to steal the cookie database from the browser. From this they retrieved the user's Facebook credentials and logged in using them on a different computer. The iOS 7.0.3 exploit relied on a flaw in the permissions model. Once the user visited a page, the attackers were able to steal a photo from the phone.

Neither phone was jailbroken. But Keen was not able to break out of the sandbox, so their award was limited to $27,500.

The second team was Team MBSD, of Mitsui Bussan Secure Directions, Inc. in Japan. Team MBSD demonstrated several exploits against default applications on the Samsung Galaxy S4. The exploit utilized a chain of vulnerabilities.

By getting the user to view a web site, their attack was able to install system-level malware silently. They were able to compromise multiple apps in this way. The malware was then able to steal SMS logs, contact list, bookmarks and more.

This is a particularly dangerous bug, and Team MBSD was awarded $40,000 for it.

The vulnerabilities have been disclosed to Apple, Google and Samsung. Until the vulnerabilities are addressed, ZDI is not disclosing the details of them publicly.

In the video below, the Keen Team Discusses their exploit of Safari on iOS.

Topics: Security, Android, iOS, Mobile OS

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Does it really matter that "Android was not compromised"?

    From the article:
    "Correction: An earlier version of this story stated that Android was compromised. HP says that the exploit was of Samsung apps, not of Android."

    Can these default apps be uninstalled without rooting the device? And replaced by 3rd party apps?
    Rabid Howler Monkey
    • Good point.

      Both hack start with "by getting the user to visit a web site" which means in both cases a web browser is the attack vector.

      The premise is: "Android was not compromised, but an App was". Safari is also just an app (which also cannot be removed or replaced). By the same logic, iOS was not compromised but Safari (an App) was.

      Now here is where things really fall apart. With the iOS hack the hackers were not able to get out of the App Sandbox hence they got less money. This gives some credence to notion the only Safari the App was hacked. With the Android hack, the hackers were able to leave the sandbox. This is why they got more money. I would argue this means Android was in fact compromised because it was unable to contain the app within the app's sandbox.
      • these were native Apps no?

        So your not in the vm.
        • Interesting

          If an App is native, does that not imply it is part of the OS? Perhaps Samsung should not be allowed to call their phone's operating system "Android". If Samsung is allowed to modify the OS, install their own native apps, and are allowed to still call it "Android", then the result is Android was compromised and not an app.

          One can't it have both ways.
          • native code is part of the Android system architecture

            Of course native code doesn't run in the Dalvik VM. There are some kernel mods specific to Android or maybe they are all LKMs now either way security is enforced at kernel level as all Dalvik apps run in separate VMs. Google says the VM is not the security boundary.

            Although native code apps are more complex they run faster since they don't have to be compiled at run time. Sammy might also not want to be subject to "changes" Google might make in Dalvik APIs.

            Interesting side note Google is moving to replace Dalvik with ART (Android Run Time ) which switches from JIT to AOT to speed up apps, improve battery performance, and generally achieve greater parity with that other platform with the fruit label.
    • Yes it matters that Android was not compromised.

      It means that the handsets vulnerable to the exploit are Samsung, not other brands of phones running Android.
      • Re: It means that the handsets vulnerable to the exploit are Samsung

        And.. it only by coincidence happens that Samsung is the company that sells most handsets of all Android.

        If you ask someone with an Android phone, what phone they have, the most likely answer will be "Samsung" and not "Android".
        • Danbi, you nailed it :)

          In addition ...

          1. The hackers got system level privileges via app vulnerabilities

          2. I don't know that I have any more confidence in secure coding from other Android OEMs such as LG, HTC, Mototola, etc.
          Rabid Howler Monkey
    • The Galaxy S4 was hacked, not Android

      It's completely true and fair to say that Android wasn't hacked. Nothing that was hacked was part of Android. I could have said that it was Samsung's distribution of Android that was hacked, but saying it's the apps is the same thing
  • Lol... Android is weak and poorly designed.

    • dude - as a windows fanboy I wouldn't be

      laughing at anyone else's flaws. Windows is like swiss cheese, with critical in the wild exploits weekly.
  • Samsung Galaxy S4 conquered

    So what OS does it run, Android or Bada?
    • LINUX

      • it was a rhetorical question

        Android/iOS is weak, Windows Phone and Win RT is super secure.
        • it was a rhetorical answer

  • What about Windows Phone?

    I see two Windows phones lying on that table. What happened to them?
    • nothing much :-)

      Either they weren't interested in attacking them or... well that's about the only explanation.

      These are mostly an opportunity for demonstrations of successful attacks ... you don't bring your failures to this event AFAIK. :-)

      Maybe next year if WP has 10% or more market share...

      Really, I think there are more contestants to go though.
      • most attacks now are link bait/phishing attacks

        so really it's the users fault.
        • no, users may be stupid but the OS is still responsible for

          Unauthorized access and data leakage.
    • None of the teams chose to attack it

      It may be that Windows Phone is harder to attack, but I suspect the real reason is that any hacker team would rather pwn a market leader like Android generally or Samsung or iOS.