Popular Smartphones Hacked At Mobile Pwn2Own 2014

wiredmikey writes Researchers have hacked several popular smartphones during the Mobile Pwn2Own 2014 competition that took place alongside the PacSec Applied Security Conference in Tokyo this week. The competition, organized by HP's Zero Day Initiative (ZDI) targeted the Amazon Fire Phone, iPhone 5s, iPad Mini, BlackBerry Z30, Google Nexus 5 and Nexus 7, Nokia Lumia 1520, and Samsung Galaxy S5. Using various attacks, some Mobile Pwn2Own 2014 Pwnage included: Apple's iPhone 5s (hacked via the Safari Web browser, achieving a full sandbox escape); Samsung's Galaxy S5 (hacked multiple times using near-field communications attacks); Amazon's Fire Phone (Web browser exploited); Windows Phone (partial hacks using a browser attack), andthe Nexus 5 (a Wi-Fi attack, which failed to elevate privileges). All the exploits were disclosed privately to the affected companies. HP promised to reveal details in the upcoming weeks.

BlackBerry

[Anonymous Coward]

So did they not hack the Z30, or did they not try?

Re:

[Anonymous Coward]

Windows Phone faster, more secure than iPhone and Android. The only thing they were able to get from the Windows phone is some cookies, while all of the others got owned.

Re:

[bloodhawk]

They didn't hack a nokia 5100 or a Motorola razr either. Probably for the exact same reason, why expend effort to hack something nobody uses anymore.

Re:

[Anonymous Coward]

Sounds like a great way to give yourself security while still being able to run the latest Android apps. Anyone who cares about security and wants to run the latest software should consider buying one.

No, I'm not being facetious. Try one for yourself and get back to me with a list of Android apps you tried yourself with the latest firmware that don't run.

Re:

[bloodhawk]

sadly I have tried the latest Z30, and no being a smaller security target for people is not worth the pain of being forced to use it. The last few blackberry's combined with the abortion that is the BES made it very easy for where I work to finally pull the plug on blackberry as neither the Users wanted it and the poor bastards having to run BES certainly didn't want it.

Re:

[Anonymous Coward]

You lie. You don't need BES to run any BlackBerry 10 device.

The simple fact is that BlackBerry 10 is the most advanced smartphone operating system in existence, and it isn't even close. It was written from the ground up in the smartphone era, and steals the best interface ideas from other older operating systems like Android (stylistically in 10.3), WebOS (previews), and Meego (gestures). It is a QNX microkernel with Qt, with the ability to run sandboxed Android apps. Security wise, it has not been broken.

BlackBerry Z30

[Anonymous Coward]

Not hacked? How strange. Well, have fun with your Apple Pay and Google Wallet!

Re:

[Russ1642]

Why put in any effort to hack a Z30 when there are only eight of them in use?

Re:

[Anonymous Coward]

I'm sure happy to be one of those eight. It's nice to be 1337.

Re:

[ArhcAngel]

The only problem is they gave the keys to the government of india.

Every carrier (this wasn't about the phone but the network) in India provides a back door to the Indian government. You only heard about BlackBerry because they fought it for two years. Until then most people weren't even aware (they still aren't) that BlackBerry is a global network carrier as well as a phone manufacturer.

Re:

[minstrelmike]

Every carrier (this wasn't about the phone but the network) in India provides a back door to the Indian government.

Lucky for all of us in America that we have the Department of Homeland Security "protecting" our private data.
(That's called sarcasm for those of you who are poorly socialized.)

Re:

[Khyber]

That's okay, their grasp of English is poor enough that it's not a concern!

Bend?

[ROBOT9001]

I heard the new iPhone 6 Plus exploits are very flexible.

Re:

[ArcadeMan]

And if it is via iOS 6 and Safari, that means all older devices are now unsafe to use as Web devices and Apple will probably never release a patch for them.

Re:

[mlts]

If the hack results in a jailbreak, I'm sure there will be a patch or a workaround on Cydia. I remember this happening with a SSL issue a few years ago.

Re:

[minstrelmike]

If the hack results in a jailbreak, I'm sure there will be a patch or a workaround on Cydia. I remember this happening with a SSL issue a few years ago.

Absolutely true. If the hack causes users to trash their old phone and buy a new one, well there's an incentive for the company to NOT fix the hack.
OTOH, if the hack causes jailbreaking and the carrier loses money, now we're talking about terrorists trying to destroy the entire capitalist system.
Incentives are very powerful.

Apple has released patches for "obsolete" OS

[perpenso]

And if it is via iOS 6 and Safari, that means all older devices are now unsafe to use as Web devices and Apple will probably never release a patch for them.

Actually Apple has released patches for "obsolete" OS versions when a critical security bug has been found. Especially for OS versions that are the final version that some particular device can upgrade to. I believe iOS 6.1.6 was exactly such an upgrade eight months ago for the iPhone 3GS. I recall my circa 2008 MacBook receiving a patch for Mac OS X Lion 10.7 in recent months.

Physical Access = Game Over

[rodrigoandrade]

Haven't we learned by now that physical access to a device steamrolls every security measure put in place?? Why are we still shocked and awed by headlines like these?

Re:Physical Access = Game Over

[NotInHere]

While its true that there is no way to prevent breaking in with physical access (even the "secure element" (an integrated sim card) can be hacked with proper technology), I can't see any attack in TFS that required physical access. A smartphone should be protected against a malicious wifi hotspot or NFC terminal, and I wouldn't regard communications with those as "physical access".

Re:

[Alrescha]

"I can't see any attack in TFS that required physical access."

You read the article? What the hell is wrong with you? /s

A.

Re:

[NotInHere]

TFSINTFA : The Fucking Summary Is Not The Fucking Article

you have a 5 digit ID you should know that.

Re:

[Alrescha]

Yes, I caught it after I posted. I blame it on the caffeine, and one can't edit.

Sorry you missed a perfect opportunity to reply to my humorous post with one of your own. I think something along the lines of "Of course I didn't read the actual article - do you think I'm crazy?" would have been a good choice. But perhaps only someone with a 5-digit ID would have seen that...

A.

Re:

[locotx]

Physical access IS root access !

Re:

[sexconker]

Physical access is much, much more powerful than root access.

Re:

[wiredmikey]

Physical access isn't needed for all these attacks. For example, on the iPhone, all it would take would be to get a user to visit a page hosting the malicious code. It may require some social engineering or a watering hole attack but that's not incredibly difficult.

Re:

[hey!]

I dunno. Has anyone ever (publicly) cracked a disk encrypted with bitlocker and TPM? I'm sure it can be done, but it'd be surprising if it were done without ripping the computer apart and using exotic equipment to peer into the state of the TPM.

Re:

[mjwx]

Haven't we learned by now that physical access to a device steamrolls every security measure put in place?? Why are we still shocked and awed by headlines like these?

Except that these can all be remote exploits.

- The Iphone 6 was pwned first via a web browser exploit allowing the exploit to escape the sandbox.
- The Samsung Galaxy S5 was second with an NFC exploit.
- The Nexus 5 was third with a Bluetooth exploit that forced a pairing between devices

All three of these can be executed remotely, however of the three only the Iphone attack escaped the sandbox. The NFC exploit used on the Samsung can be used on all NFC enabled Android phones but it uses a model specif

Apple

[ArcadeMan]

In Apple's defense, all the hacks were executed via the Flash plug-in, Java and Adobe Reader.

Oh, this is about iOS devices?

Apple, what the fuck are you doing?

Re:

[Anonymous Coward]

iOS Safari is "special" and is the only iOS app that's allowed to have writable, executable pages. (As it is the only app allowed to run the JavaScript JIT compiler.) It should come as no surprise that this means that it is the most obvious attack point, as it's the only iOS app that's allowed to run arbitrary code and that runs by default in a blatantly insecure configuration "for speed."

I'd make fun of Apple for putting security behind performance, but having used Mobile Safari behind, instead I'll make f

Re:

[jones_supa]

iOS Safari is "special" and is the only iOS app that's allowed to have writable, executable pages. (As it is the only app allowed to run the JavaScript JIT compiler.)

Hmm... interesting... do PC web browsers do the same thing? In that case, one would think that if the OS implements NX protection, then the JS interpreter would not work.

Re:

[cbhacking]

No, PC browsers (with the possible exception of Safari?) don't do anything nearly so braindead, nor do any of the other kinds of PC software that use a JIT (a few examples: Java, .NET, Flash). You allocate the memory, with pages mapped R/W. You emit JIT-compiled code into a page. You re-map the page to R/X! Repeat as more pages are needed. You never, even have a R/W/X page.

In fact, browsers (IE and Chrome at a minimum, probably others) and Flashplayer take things a step further. Since you can generate a hug

Re:

[CommanderK]

No, PC browsers (with the possible exception of Safari?) don't do anything nearly so braindead, nor do any of the other kinds of PC software that use a JIT (a few examples: Java, .NET, Flash). You allocate the memory, with pages mapped R/W. You emit JIT-compiled code into a page. You re-map the page to R/X! Repeat as more pages are needed. You never, even have a R/W/X page.

For Chrome, at least, you're completely wrong. Chrome (or more specifically V8) maps all code pages as RWX, then starts writing and modifying code in-place in those RWX pages. Having writable code is required for several V8 features, like inline caches and code garbage collection. Chrome is just as bad in this regard as Safari. However, it's not allowed to do this on iOS, only on desktops and Android (AFAIK).

Re:

[mlts]

Samsung did a decent job so far. It took a five digit bounty to even achieve root (much less a usable bootloader unlock) on the 5S using the towelroot exploit.

popular smartphones??

[Anonymous Coward]

Including the Amazon fire phone? alrighty then.

Amazon Fire phone is popular?

[generic_screenname]

Since when?