An iPhone 5S, Samsung Galaxy S5, LG Nexus 5, and Amazon Fire Phone were all hijacked by whitehats on the first day of an annual hacking contest that pays hefty cash prizes for exploits bypassing security sandbox perimeters.
Day one of the Mobile Pwn2Own competition at the PacSec conference in Tokyo repeated a theme struck over and over at previous Pwn2Own events. If a device runs software, it can be hacked—regardless of claims made by marketers or fans. Organized by the Hewlett-Packard-owned Zero Day Initiative and sponsored this year by Google and Blackberry, Mobile Pwn2Own awards as much as $150,000 for the most advanced hacks, with a total prize pool of $425,000. In exchange, contestants agree to turn over technical details to the organizer and keep them confidential until the underlying vulnerabilities have been patched.
During the first day, according to this HP blog post, the following hacks took place:
- An iPhone 5S was taken down by a two-bug attack, one of which managed to execute a full sandbox escape in the Safari browser.
- Hackers used Near Field communication (NFC) functionality to trigger a deserialization exploit in a Samsung Galaxy S5. A separate team also abused NFC to exploit a logical error also present in the S5, bringing the total number of successful hacks of the smartphone to two.
- Yet a third hack involving NFC took down an LG Nexus 5 by forcing Bluetooth pairing between phones.
- An attack wielding three separate bugs successfully commandeered the Amazon Fire Phone's Web browser.
With three of the five attacks abusing NFC—which allows devices to establish radio communications when they are gently bumped together or pass within close proximity of special chips—it's a good bet that there are more vulnerabilities to be found in other implementations of the technology. The results are also a vindication of research presented two years ago when whitehat hacker Charlie Miller was able to commandeer Android and Nokia smartphones when they came into close proximity of a booby-trapped chip.
Over the years, Pwn2Own and similar contests have emerged as a great equalizer among various computing products, especially those with smaller user bases that don't provide as much reward for criminal hackers in the wild. By creating strong incentives for successful hacks, the contests demonstrate that virtually no system or software is safe against an attacker with above-average technical skills and the time and determination to put them to good use. Day two of the competition runs Wednesday. Don't be surprised if more devices fall.
No comments:
Post a Comment