The Mobile Pwn2Own 2013 hacking contest began today at PacSec Tokyo 2013. The first day of competition brought iOS and the Samsung Galaxy S4 down. The contest is run by the HP Zero Day Initiative (ZDI).
[Correction: An earlier version of this story stated that Android was compromised. HP says that the exploit was of Samsung apps, not of Android.]
Brian Gorenc, Manager, Zero Day Initiative, HP Security Research, emphasized that point of the contest is to bring vulnerability research in the far east into legitimate circles and out of the black market. Pwn2Own winners can receive tens of thousands of dollars, and they get to keep the device they hack. Two teams have competed so far. The contest is not yet over and there may be further results by tomorrow.
The first team was the Keen Team from Keen Cloud Tech in China. Keen demonstrated two iOS exploits, on iOS 6.1.4 and 7.0.3. On iOS 6.1.4, by getting the user to visit a web site, the attackers were able to steal the cookie database from the browser. From this they retrieved the user's Facebook credentials and logged in using them on a different computer. The iOS 7.0.3 exploit relied on a flaw in the permissions model. Once the user visited a page, the attackers were able to steal a photo from the phone.
Neither phone was jailbroken. But Keen was not able to break out of the sandbox, so their award was limited to $27,500.
The second team was Team MBSD, of Mitsui Bussan Secure Directions, Inc. in Japan. Team MBSD demonstrated several exploits against default applications on the Samsung Galaxy S4. The exploit utilized a chain of vulnerabilities.
By getting the user to view a web site, their attack was able to install system-level malware silently. They were able to compromise multiple apps in this way. The malware was then able to steal SMS logs, contact list, bookmarks and more.
This is a particularly dangerous bug, and Team MBSD was awarded $40,000 for it.
The vulnerabilities have been disclosed to Apple, Google and Samsung. Until the vulnerabilities are addressed, ZDI is not disclosing the details of them publicly.
In the video below, the Keen Team Discusses their exploit of Safari on iOS.