NFC is the new security threat vector, iPhone 5s, Galaxy S5 pwned in Mobile Pwn2OwnThe competitionApple iPhone 5SSamsung Galaxy S5Google Nexus 5Fire PhoneLumia 1520
The competition
Here’s how the contest works. Security researchers choose the device they would like to try and hack into at the time of registration. They have to carry out the hack in a 30 minute time frame. The restrictions on this hack is that the vulnerabilities used, must be unknown prior to the event aka zero day attacks. The bug used and a corresponding white paper detailing the bug has to be handed over to ZDI which carries out the task of informing the affected organization. The prize list is varies according to the technique used, which is:
$50,000 for hacking mobile Web browsers, vulnerability in the OS or an application $75,000 for Bluetooth, Wi-Fi or Near Field Communication (NFC) $100,000 for messaging services $150,00 for baseband attacks
The winning amount is given to the first team or individual that manages to break into the device. “A successful attack against these devices must require no user interaction beyond the action required to browse to the malicious content. As always, the initial vulnerability used in the attack must be in the registered category,” Gorenc explained. “The contestant must demonstrate remote code execution by bypassing sandboxes (if applicable) and exfiltrating sensitive information. To avoid interfering with licensed carrier networks, all RF attacks must be completed within the provided RF isolation enclosure. The vulnerabilities utilized in the attack must be unpublished zero days.”
Apple iPhone 5S
On the very first day, the first team- South Korean competition veterans [email protected] approached the bench with a two-bug combination that pwned the Apple iPhone 5S via the Safari browser. The 2 bugs, used together not only managed to break the Safari browser but also managed to break the entire sandbox environment of iPhone, defeating every security mechanism the device uses.
Samsung Galaxy S5
The particular device was pawned not once, but twice. The first effort from Japan’s Team MBSD, used NFC as a vector to trigger a deserialization issue in certain code specific to Samsung.The other Samsung pwnage, brought to the competition by Jon Butler of South Africa’s MWR InfoSecurity, took another approach focusing on NFC. This attack is possible specifically on the galaxy s5
Google Nexus 5
Adam Laurie from the UK’s Aperture Labs came up next with the Nexus device in his crosshairs. He successfully managed to brute force a bluetooth connection between 2 devices using a 2-bug attack. If this sounds familiar, it is a technique used very frequently on the hit series ‘Person of Interest’. Jüri Aedla also tried to take on this device using wi-fi but failed to gain full control of the device.
Fire Phone
Lumia 1520
This device might have turned out to be the most well protected. The attacker- the winner of the earlier Pwn2Own held this year Nico Joly did manage to break into the system and exfiltrate the entire cookie database, but he managed to go any further with the device’s sandbox holding up strong under attack. This years Pwn2Own laid out interesting tactics on part of the hackers. In most of the cases, the attack vector used by the hackers to take control of the phones was the Near Field Communication (NFC) technology, which is available in almost all the latest models of smartphones from prominent vendors. Looks like NFC security is going to be big challenge for Apple, Samsung and co in the years to come.