Mobile Pwn2Own 2013 Yields Exploits in Safari, Samsung S4 applications

Mobile Pwn2Own 2013 started out with a bang. HP’s Zero Day Initiative and competition co-sponsors Google and Blackberry awarded $67,500 USD for the disclosure of multiple 0-day vulnerabilities and exploit techniques in the Safari browser and mobile applications.  We are excited to bring Pwn2Own to Japan to see the breadth of research from across the world, including exploits which reveal techniques that can help internal security teams improve their mitigations. 

 

As mobile technology advances, an abundance of new risks and vectors for security vulnerabilities is emerging.  From mobile browser to baseband process, this competition is designed to highlight researchers that are working to secure this area. We were lucky enough to have two teams in the first day from China and Japan demonstrate such risks. 

 

In the mobile browser category, Keen Team, a group of security researchers from China, demonstrated two exploits on the iPhone 5 and won $27,500 USD. They first demonstrated an exploit against the Safari browser running on iOS 7.0.3, followed by another exploit on Safari running on iOS 6.1.4. These exploits allow a remote attacker to exfiltrate the cookie database and photos from Apple’s iPhone. More details on this exploit can be found here.

 

Japan’s very own Mitsui Bussan Secure Directions, Inc. demonstrated an exploit that leveraged vulnerabilities against several applications that are installed by default on the Samsung Galaxy S4. Combined, these bugs allow the silent installation of a malicious application and the theft of sensitive user data including SMS messages, contact list and web browsing history.  This successful attack netted them $40,000 USD. More details on that exploit can be found here.

 

All of the vulnerabilities and exploit techniques used today have been disclosed to the affected vendors.   We have a couple researchers still actively developing exploit attempts and hopefully we will have more action tomorrow – check out hppwn2own.com for contest photos, videos and updates.

 

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation