NFC is the new security threat vector, iPhone 5s, Galaxy S5 pwned in Mobile Pwn2Own
The third edition of Pwn2Own mobile took place on November 12-13 alongside the PacSec Applied Security Conference in Tokyo. The organizers, HP’s Zero day Initiative(ZDI) had increased the prize money by $125k and the event has seen 5 teams with 5 successful hacks into their chosen mobile phones. “With the near-ubiquity of mobile devices, vulnerabilities on these platforms are becoming increasingly coveted and are actively and vigorously hunted by criminals for exploitation. This contest helps to harden these devices by finding vulnerabilities first and sharing that research with mobile device and platform vendors,” Brian Gorenc, manager of vulnerability research at HP’s Security Research division and the man responsible for running ZDI, wrote in a blog post on Tuesday.
Here’s how the contest works. Security researchers choose the device they would like to try and hack into at the time of registration. They have to carry out the hack in a 30 minute time frame. The restrictions on this hack is that the vulnerabilities used, must be unknown prior to the event aka zero day attacks. The bug used and a corresponding white paper detailing the bug has to be handed over to ZDI which carries out the task of informing the affected organization.
The prize list is varies according to the technique used, which is:
- $50,000 for hacking mobile Web browsers, vulnerability in the OS or an application
- $75,000 for Bluetooth, Wi-Fi or Near Field Communication (NFC)
- $100,000 for messaging services
- $150,00 for baseband attacks
The winning amount is given to the first team or individual that manages to break into the device. “A successful attack against these devices must require no user interaction beyond the action required to browse to the malicious content. As always, the initial vulnerability used in the attack must be in the registered category,” Gorenc explained. “The contestant must demonstrate remote code execution by bypassing sandboxes (if applicable) and exfiltrating sensitive information. To avoid interfering with licensed carrier networks, all RF attacks must be completed within the provided RF isolation enclosure. The vulnerabilities utilized in the attack must be unpublished zero days.”
The devices that were targeted this year were Amazon Fire Phone, Apple iPhone 5s, Apple iPad Mini with Retina Display, BlackBerry Z30, Google Nexus 5, Google Nexus 7, Nokia Lumia 1520 and Samsung Galaxy S5.
Apple iPhone 5S
On the very first day, the first team- South Korean competition veterans lokihardt@ASRT approached the bench with a two-bug combination that pwned the Apple iPhone 5S via the Safari browser. The 2 bugs, used together not only managed to break the Safari browser but also managed to break the entire sandbox environment of iPhone, defeating every security mechanism the device uses.
Samsung Galaxy S5
The particular device was pawned not once, but twice. The first effort from Japan’s Team MBSD, used NFC as a vector to trigger a deserialization issue in certain code specific to Samsung.The other Samsung pwnage, brought to the competition by Jon Butler of South Africa’s MWR InfoSecurity, took another approach focusing on NFC. This attack is possible specifically on the galaxy s5
Google Nexus 5
Adam Laurie from the UK’s Aperture Labs came up next with the Nexus device in his crosshairs. He successfully managed to brute force a bluetooth connection between 2 devices using a 2-bug attack. If this sounds familiar, it is a technique used very frequently on the hit series ‘Person of Interest’. Jüri Aedla also tried to take on this device using wi-fi but failed to gain full control of the device.
Last attack of the day was carried out by the three-man MWR InfoSecurity team of Kyle Riley, Bernard Wagner, and Tyrone Erasmus with a successful three-bug medley targeting the Amazon Fire Phone’s Web browser.
This device might have turned out to be the most well protected. The attacker- the winner of the earlier Pwn2Own held this year Nico Joly did manage to break into the system and exfiltrate the entire cookie database, but he managed to go any further with the device’s sandbox holding up strong under attack.
This years Pwn2Own laid out interesting tactics on part of the hackers. In most of the cases, the attack vector used by the hackers to take control of the phones was the Near Field Communication (NFC) technology, which is available in almost all the latest models of smartphones from prominent vendors. Looks like NFC security is going to be big challenge for Apple, Samsung and co in the years to come.