Popular Smartphones Hacked At Mobile Pwn2Own 2014

wiredmikey writes Researchers have hacked several popular smartphones during the Mobile Pwn2Own 2014 competition that took place alongside the PacSec Applied Security Conference in Tokyo this week. The competition, organized by HP's Zero Day Initiative (ZDI) targeted the Amazon Fire Phone, iPhone 5s, iPad Mini, BlackBerry Z30, Google Nexus 5 and Nexus 7, Nokia Lumia 1520, and Samsung Galaxy S5. Using various attacks, some Mobile Pwn2Own 2014 Pwnage included: Apple's iPhone 5s (hacked via the Safari Web browser, achieving a full sandbox escape); Samsung's Galaxy S5 (hacked multiple times using near-field communications attacks); Amazon's Fire Phone (Web browser exploited); Windows Phone (partial hacks using a browser attack), andthe Nexus 5 (a Wi-Fi attack, which failed to elevate privileges). All the exploits were disclosed privately to the affected companies. HP promised to reveal details in the upcoming weeks.

Re:Apple

iOS Safari is "special" and is the only iOS app that's allowed to have writable, executable pages. (As it is the only app allowed to run the JavaScript JIT compiler.) It should come as no surprise that this means that it is the most obvious attack point, as it's the only iOS app that's allowed to run arbitrary code and that runs by default in a blatantly insecure configuration "for speed."

I'd make fun of Apple for putting security behind performance, but having used Mobile Safari behind, instead I'll make fun of them for putting performance ahead of security and still making a slow, piece of crap mobile browser that can barely deal with a single page of HTML and becomes a slideshow once you throw even the tiniest amount of JavaScript at it.