Mobile Pwn2Own 2014: Windows Phone’s sandbox resists attack
The Mobile Pwn2Own 2014 hacking competition, held at the PacSec Applied Security Conference in Tokyo, Japan, was concluded on Thursday, and not one of the targeted phones has survived completely unscathed.
Of the targets available for selection, Amazon Fire Phone, Apple iPhone 5S, Samsung Galaxy S5, and Google/LG Nexus were completely “pwned,” the Nokia Lumia 1520 running Windows Phone partially, and BlackBerry Z30, Apple’s iPad Mini and the Nexus 7 weren’t targeted at all.
Competitors were encouraged to come at the phones from a variety of sides – via the mobile web browser, through mobile app and OS holes, via Bluetooth, Wi-Fi or NFC, messaging services or, in limited cases, via baseband.
A successful exploitation of a bug in the latter carried with it a $150,000 prize, the others less: $100,000 for messaging services, $75,000 for short distance and $50,000 for the browser, apps or OS.
Not many details about the successful exploits were provided, as the information is first shared with vendors and will be shared with the public once the bugs are closed.
What we know is that the Apple iPhone 5S was owned via the Safari browser by exploiting two bugs, the Amazon Fire Phone was breached via three bugs in its browser, Samsung Galaxy S5 was successfully targeted via NFC by two different teams (one by triggering a deserialization issue in certain code, and the other by targeting a logical error), and the Nexus 5 was forced to pair with another phone via Bluetooth.
The two contestants that did their attacks on the second day were less successful: J??ri Aedla used Wi-Fi to target a Nexus 5, but was unable to elevate his privileges further than their original level. And Nico Joly tried to exploit Lumia’s browser, but didn’t manage to gain full control of the system as the sandbox held. He did, however, manage to extract the cookie database.
More details about the exploits can be expected in the coming weeks, as the vendors patch the bugs and the contestants are given leave to discuss their attacks publicly.