HP held its annual Mobile Pwn2Own competition in Tokyo, Japan from 11-12 November. The purpose of this event was for security researchers, developers and hackers to exploit various phones through some previously unknown bug and then report it to the respective handset maker so the vulnerability could be patched and fixed.
A prize pool of $425,000 (£271,000) was available to anyone who hacked into the phone's innards via an unknown bug and then gain comprehensive control over the phone in less than 30 minutes. Many devices were successfully exploited in the competition including the Apple iPhone 5S, Blackberry Z30, Amazon Fire phone, Google Nexus 7, Samsung Galaxy 5 and LG Nexus 5.
BBC News reports that five teams successfully used the bugs they had found to take over five devices. Three of the successes exploited NFC to give the attackers the ability to extract data at will from the phones. The other two attacks compromised a phone via its on-board web browser.
Partial pwnage was achieved by two security veterans trying to exploit Windows Phone and Android, they were successful in controlling one aspect of their respective systems but unable to gain comprehensive control over it.
First Nico Joly, who was the sole competitor to take on a Windows Phone, a Lumia 1520 to be specific, with an exploit aimed at the default browser, Internet explorer on his phone. HP says that:
"He was successfully able to exfiltrate the cookie database; however, the sandbox held and he was unable to gain full control of the system."
The second and final competitor Jüri Aedla, is a seasoned Pwn2Own veteran who presented an approach utilizing wi-fi on his Nexus 5 but was unsuccessful in elevating his privileges further than the original level.
The winners of the competition included UK security expert Adam Laurie, Japan's Team MBSD and South Africa's MWR InfoSecurity. All in all, it was a healthy competition which will help handset makers in fixing the vulnerabilities and software flaws in their phones and will assist them in strengthening the security of the future handsets they produce.
8 Comments - Add comment