Some of the world’s most popular smartphones have been prized open at the Mobile Pwn2Own hacking contest in Tokyo, Japan this week. Hosted by the HP Zero Day Initiative, the competition offered up big cash prizes for those who could show off their exploits and five teams succesfully broke security protections on the Amazon Fire Phone, iPhone 5S, LG Nexus 5 and the Samsung S5. Day One of the annual Mobile Pwn2Own competition closed with nine bugs exploited and provided to vendors via coordinated disclosure.
South Korean competition veterans lokihardt@ASRT demonstrated a two-bug combination that pwned the Apple iPhone 5S via the Safari browser. While details of these and all other Pwn2Own bugs are closely held among the researcher, vendor, and ZDI, one of the bugs executed a full Safari sandbox escape.
The second contest was the first of two consecutive and successful attempts against the Samsung Galaxy S5. The first effort, from Japan’s Team MBSD, used NFC as a vector to trigger a deserialization issue in certain code specific to Samsung.
The other Samsung pwnage, brought to the competition by Jon Butler of South Africa’s MWR InfoSecurity, took another approach focusing on NFC. In this case, the exploit targeted a logical error that’s possible on the Samsung Galaxy S5 devices.
Adam Laurie from the UK’s Aperture Labs stepped up in the fourth competition spot with another NFC attack. A two-bug exploit targeting NFC capabilities on the LG Nexus 5 demonstrated a way to force BlueTooth pairing between phones.
Finally, the three-man MWR InfoSecurity team of Kyle Riley, Bernard Wagner, and Tyrone Erasmus wrapped up the first day of competition with a successful three-bug medley targeting the Amazon Fire Phone’s Web browser.
However, the Windows Phone OS kept out VUPEN researcher Nico Joly, who couldn’t pop a Lumia 1520 despite getting at the cookie database on the device.
On Thurdsay, the contest greets its final two participants, Nico Joly targeting Windows Phone and Jüri Aedla targeting Android.
The prize pool for this year's Mobile Pwn2Own is rising, with HP and its sponsors offering over $425,000 (USD) in cash and prizes to researchers who successfully compromise selected mobile targets from particular categories, which is $125,000 more than last year’s contest.