Smartphone Security Challenge: Mobile Pwn2Own 2014
Mobile Pwn2Own 2014 held by the HP Zero Day Initiative, is a competition that gave big cash prizes for those who could successfully show off their hacking skills and managed to breach security measures on popular devices.These five included Amazon Fire Phone, iPhone 5S, LG Nexus 5 and the Samsung S5.
They were all compromised (to varying degrees) with a total prize of $425,000 on offer. This was sponsored by Google’s Android team and BlackBerry.
The iPhone 5s was compromised by members of the South Korean team [email protected] who used a combination of two vulnerabilities to successfully hack the device via the Safari browser and achieved “a full sandbox escape”.
Samsung Galaxy S5
The Samsung Galaxy S5 was compromised by two separate teams from Japan and the UK, both of which used the NFC chip as the vector for a successful attack.
NFC was a popular attack choice with UK-based Adam Laurie from Aperture Labs using this method to hack the LG-built Nexus 5 smartphone.
A two-bug exploit targeting NFC capabilities on the LG Nexus 5 (a Google-supported device) demonstrated a way to force BlueTooth pairing between phones.
HP blog says that Nico Joly who refined his competition entry on the very laptop he won at this spring’s Pwn2Own in Vancouver as part of the VUPEN team – was the sole competitor to take on Windows Phone (the Lumia 1520) this year, entering with an exploit aimed at the browser. He was successfully able to exfiltrate the cookie database; however, the sandbox held and he was unable to gain full control of the system.
This revelation came on the second day of HP’s Pwn2Own hacking contest, with this round targeting browsers of mobile devices. Although it came top, Windows Phone didn’t completely emerge unwounded.
The exploits and vulnerabilities were disclosed privately to the companies including Apple, Samsung and Amazon to allow them time to fix any potential threats, ahead of HP revealing more technical details of the attacks in the coming weeks.