Hewlett-Packard’s Zero Day Initiative (ZDI) is hosting its first mobile Pwn2Own hacking competition in Japan this week, and both the Google Android and Apple iOS operating systems have already been compromised.
The mobile Pwn2Own event is co-located at the PacSec Conference in Tokyo and offers the promise of $300,000 in prize money to researchers who successfully demonstrate previously unknown mobile attacks and vulnerabilities. Brian Gorenc, manager of ZDI at HP Security Research, told eWEEK in a call from Japan that on Nov. 13, the first day of the competition, researchers from China and Japan were the first to successfully demonstrate their security prowess.
Team MBSD (Mitsui Bussan Secure Direction) from Japan was able to successfully exploit a fully patched, non-rooted Samsung Galaxy S 4 Android phone. The researchers didn’t exploit the phone with a single vulnerability; rather they were able to chain together a complex set of flaws across multiple applications that were installed by default on the Galaxy S 4, Gorenc said. The result was that by simply visiting an infected Website, the researchers were able to steal the user’s messaging logs, contacts, browsing history and other personally identifiable information.
“It is quite a significant discovery from MBSD, especially since they were able to chain so many vulnerabilities together to get the permissions needed to exploit the device,” Gorenc said.
At the 2012 mobile Pwn2Own event in Amsterdam, researchers were also able to exploit Android, though the root cause in that exploit was achieved by way of a Near Field Communication (NFC) related flaw. Gorenc stressed that the new flaw reported in Japan is completely different and doesn’t make use of NFC at all.
For their efforts, HP is awarding Team MBSD the tidy sum of $40,000 in cash.
Apple’s iOS was successfully exploited by Keen Team, a team of security researchers from China. Keen Team was able to exploit a fully patched iPhone running iOS 7.0.3 to steal user credentials.
“The vulnerability was in the Safari Web browser, and they were able to exfiltrate user data including the cookie database,” Gorenc said.
Cookie data on a browser can often store user information, including credentials needed for Websites such as Facebook. As part of the competition demo, a Facebook account was set up, which was then compromised by Keen Team by way of the Safari exploit.
The same exploit might well also exist on desktop versions of Apple’s Safari Web browser. The vulnerability found by Keen Team is a WebKit-related flaw, according to Gorenc, and WebKit is the core rendering engine behind both the mobile and desktop versions of Safari.
“We haven’t been able to confirm yet if the vulnerability works on the desktop,” he said.
For its efforts, HP awarded Keen Team $27,500. As to why Keen Team did not earn the full $40,000 award, Gorenc said the Keen Team exploit was not in fact a full Apple sandbox bypass. The Apple sandbox is a technical construct in iOS that aims to limit the ability of applications to execute code outside of a defined isolated area. Gorenc added that one of the interesting things about the Keen Team disclosure was how much damage could be done, even though the team was not able to bypass the Apple sandbox.
Overall, the Japanese event so far is doing exactly what Gorenc hoped it would do. The previous mobile Pwn2Own event was held in Europe, and by holding the current event in Japan the plan is to further encourage security researcher participation in Asia. Given that the first two winners were from China and Japan, the plan is working out.
“We have already been able to disclose more vulnerabilities to vendors on our first day than we were able to in our event last year,” Gorenc said. “It’s quite enjoyable to have a better working relationship with researchers on this side of the globe, and we hope to encourage that even more.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.