Slashdot Mirror

← Back to Stories (view on slashdot.org)

Popular Smartphones Hacked At Mobile Pwn2Own 2014

Posted by timothy on from the keep-it-in-a-faraday-cage dept.

wiredmikey writes Researchers have hacked several popular smartphones during the Mobile Pwn2Own 2014 competition that took place alongside the PacSec Applied Security Conference in Tokyo this week. The competition, organized by HP's Zero Day Initiative (ZDI) targeted the Amazon Fire Phone, iPhone 5s, iPad Mini, BlackBerry Z30, Google Nexus 5 and Nexus 7, Nokia Lumia 1520, and Samsung Galaxy S5. Using various attacks, some Mobile Pwn2Own 2014 Pwnage included: Apple's iPhone 5s (hacked via the Safari Web browser, achieving a full sandbox escape); Samsung's Galaxy S5 (hacked multiple times using near-field communications attacks); Amazon's Fire Phone (Web browser exploited); Windows Phone (partial hacks using a browser attack), andthe Nexus 5 (a Wi-Fi attack, which failed to elevate privileges). All the exploits were disclosed privately to the affected companies. HP promised to reveal details in the upcoming weeks.

35 of 52 comments (clear)

  1. BlackBerry by Anonymous Coward · · Score: 3, Interesting

    So did they not hack the Z30, or did they not try?

    1. Re:BlackBerry by Anonymous Coward · · Score: 1

      Windows Phone faster, more secure than iPhone and Android. The only thing they were able to get from the Windows phone is some cookies, while all of the others got owned.

    2. Re:BlackBerry by bloodhawk · · Score: 1

      They didn't hack a nokia 5100 or a Motorola razr either. Probably for the exact same reason, why expend effort to hack something nobody uses anymore.

    3. Re:BlackBerry by Anonymous Coward · · Score: 1

      Sounds like a great way to give yourself security while still being able to run the latest Android apps. Anyone who cares about security and wants to run the latest software should consider buying one.

      No, I'm not being facetious. Try one for yourself and get back to me with a list of Android apps you tried yourself with the latest firmware that don't run.

    4. Re:BlackBerry by bloodhawk · · Score: 1

      sadly I have tried the latest Z30, and no being a smaller security target for people is not worth the pain of being forced to use it. The last few blackberry's combined with the abortion that is the BES made it very easy for where I work to finally pull the plug on blackberry as neither the Users wanted it and the poor bastards having to run BES certainly didn't want it.

    5. Re:BlackBerry by Anonymous Coward · · Score: 1

      You lie. You don't need BES to run any BlackBerry 10 device.

      The simple fact is that BlackBerry 10 is the most advanced smartphone operating system in existence, and it isn't even close. It was written from the ground up in the smartphone era, and steals the best interface ideas from other older operating systems like Android (stylistically in 10.3), WebOS (previews), and Meego (gestures). It is a QNX microkernel with Qt, with the ability to run sandboxed Android apps. Security wise, it has not been broken. The guy who broke the BlackPhone worked ALL SUMMER just to prove a point and still failed.

      But you knew that; the BES comment you made was just a misunderstanding and not you just making shit up, right?

  2. BlackBerry Z30 by Anonymous Coward · · Score: 1

    Not hacked? How strange. Well, have fun with your Apple Pay and Google Wallet!

    1. Re:BlackBerry Z30 by Russ1642 · · Score: 2

      Why put in any effort to hack a Z30 when there are only eight of them in use?

    2. Re:BlackBerry Z30 by Anonymous Coward · · Score: 1

      I'm sure happy to be one of those eight. It's nice to be 1337.

    3. Re:BlackBerry Z30 by ArhcAngel · · Score: 1

      The only problem is they gave the keys to the government of india.

      Every carrier (this wasn't about the phone but the network) in India provides a back door to the Indian government. You only heard about BlackBerry because they fought it for two years. Until then most people weren't even aware (they still aren't) that BlackBerry is a global network carrier as well as a phone manufacturer.

      --
      "A person is smart. People are dumb, panicky dangerous animals and you know it." - K
    4. Re:BlackBerry Z30 by Khyber · · Score: 1

      That's okay, their grasp of English is poor enough that it's not a concern!

      --
      Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
    5. Re:BlackBerry Z30 by minstrelmike · · Score: 1

      Every carrier (this wasn't about the phone but the network) in India provides a back door to the Indian government.

      Lucky for all of us in America that we have the Department of Homeland Security "protecting" our private data.
      (That's called sarcasm for those of you who are poorly socialized.)

  3. Bend? by ROBOT9001 · · Score: 3, Funny

    I heard the new iPhone 6 Plus exploits are very flexible.

  4. Physical Access = Game Over by rodrigoandrade · · Score: 5, Insightful

    Haven't we learned by now that physical access to a device steamrolls every security measure put in place?? Why are we still shocked and awed by headlines like these?

    1. Re:Physical Access = Game Over by NotInHere · · Score: 3, Interesting

      While its true that there is no way to prevent breaking in with physical access (even the "secure element" (an integrated sim card) can be hacked with proper technology), I can't see any attack in TFS that required physical access. A smartphone should be protected against a malicious wifi hotspot or NFC terminal, and I wouldn't regard communications with those as "physical access".

    2. Re:Physical Access = Game Over by locotx · · Score: 1

      Physical access IS root access !

    3. Re:Physical Access = Game Over by Alrescha · · Score: 1

      "I can't see any attack in TFS that required physical access."

      You read the article? What the hell is wrong with you? /s

      A.

      --
      ...bringing you cynical quips since 1998
    4. Re:Physical Access = Game Over by NotInHere · · Score: 1

      TFSINTFA : The Fucking Summary Is Not The Fucking Article

      you have a 5 digit ID you should know that.

    5. Re:Physical Access = Game Over by wiredmikey · · Score: 1

      Physical access isn't needed for all these attacks. For example, on the iPhone, all it would take would be to get a user to visit a page hosting the malicious code. It may require some social engineering or a watering hole attack but that's not incredibly difficult.

    6. Re:Physical Access = Game Over by sexconker · · Score: 1

      Physical access is much, much more powerful than root access.

    7. Re:Physical Access = Game Over by hey! · · Score: 1

      I dunno. Has anyone ever (publicly) cracked a disk encrypted with bitlocker and TPM? I'm sure it can be done, but it'd be surprising if it were done without ripping the computer apart and using exotic equipment to peer into the state of the TPM.

      --
      Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
    8. Re:Physical Access = Game Over by mjwx · · Score: 1

      Haven't we learned by now that physical access to a device steamrolls every security measure put in place?? Why are we still shocked and awed by headlines like these?

      Except that these can all be remote exploits.

      - The Iphone 6 was pwned first via a web browser exploit allowing the exploit to escape the sandbox.
      - The Samsung Galaxy S5 was second with an NFC exploit.
      - The Nexus 5 was third with a Bluetooth exploit that forced a pairing between devices

      All three of these can be executed remotely, however of the three only the Iphone attack escaped the sandbox. The NFC exploit used on the Samsung can be used on all NFC enabled Android phones but it uses a model specific code, so it's not a one size fits all exploit. Beyond this, the simple fix/workaround for the Android exploits is to turn off NFC and Bluetooth when not in use (I already do this anyway).

      But as we're all enlightened, security minded slashdotters I'm sure none of us are keeping important information on our smartphones.

      Oh, and the Windows phone was also crackd... but no-one cares about Windows phones.

      --
      Calling someone a "hater" only means you can not rationally rebut their argument.
    9. Re:Physical Access = Game Over by Alrescha · · Score: 1

      Yes, I caught it after I posted. I blame it on the caffeine, and one can't edit.

      Sorry you missed a perfect opportunity to reply to my humorous post with one of your own. I think something along the lines of "Of course I didn't read the actual article - do you think I'm crazy?" would have been a good choice. But perhaps only someone with a 5-digit ID would have seen that...

      A.

      --
      ...bringing you cynical quips since 1998
  5. Apple by ArcadeMan · · Score: 1

    In Apple's defense, all the hacks were executed via the Flash plug-in, Java and Adobe Reader.

    Oh, this is about iOS devices?

    Apple, what the fuck are you doing?

    --
    Get free satoshi (Bitcoin) and Dogecoins
    1. Re:Apple by Anonymous Coward · · Score: 2, Informative

      iOS Safari is "special" and is the only iOS app that's allowed to have writable, executable pages. (As it is the only app allowed to run the JavaScript JIT compiler.) It should come as no surprise that this means that it is the most obvious attack point, as it's the only iOS app that's allowed to run arbitrary code and that runs by default in a blatantly insecure configuration "for speed."

      I'd make fun of Apple for putting security behind performance, but having used Mobile Safari behind, instead I'll make fun of them for putting performance ahead of security and still making a slow, piece of crap mobile browser that can barely deal with a single page of HTML and becomes a slideshow once you throw even the tiniest amount of JavaScript at it.

    2. Re:Apple by jones_supa · · Score: 1

      iOS Safari is "special" and is the only iOS app that's allowed to have writable, executable pages. (As it is the only app allowed to run the JavaScript JIT compiler.)

      Hmm... interesting... do PC web browsers do the same thing? In that case, one would think that if the OS implements NX protection, then the JS interpreter would not work.

    3. Re:Apple by cbhacking · · Score: 1

      No, PC browsers (with the possible exception of Safari?) don't do anything nearly so braindead, nor do any of the other kinds of PC software that use a JIT (a few examples: Java, .NET, Flash). You allocate the memory, with pages mapped R/W. You emit JIT-compiled code into a page. You re-map the page to R/X! Repeat as more pages are needed. You never, even have a R/W/X page.

      In fact, browsers (IE and Chrome at a minimum, probably others) and Flashplayer take things a step further. Since you can generate a huge number of almost-entirely-attacker-controlled instructions by doing operation that will compile down as arithmetic on immediate values (constants), and since x86 (and, to a lesser extent, many ARM systems courtesy of THUMB-2 mode) allows code to be interpreted as a completely different instruction sequence if you enter the binary stream in the middle of an instruction, one technique for getting executable-mapped shellcode into a browser is to have a script that does a ton of arithmetic on carefully chosen constants. Therefore, the above-mentioned JITs (IE, Chrome, Flashplayer, maybe others) use a technique called "constant blinding" where every constant operation is actually emitted as two instructions: a masked constant getting XORed with its mask value to produce the expected constant (in a register), and then an operation on that value. No long sequence of known instructions with attacker-controlled immediates means no way to predict the result of entering an instruction stream at an offset.

      If Safari on iOS really is so stupid as to have R/W/X pages just because of its JIT, Apple has fucked up colossally.

      --
      There's no place I could be, since I've found Serenity...
    4. Re:Apple by CommanderK · · Score: 1

      No, PC browsers (with the possible exception of Safari?) don't do anything nearly so braindead, nor do any of the other kinds of PC software that use a JIT (a few examples: Java, .NET, Flash). You allocate the memory, with pages mapped R/W. You emit JIT-compiled code into a page. You re-map the page to R/X! Repeat as more pages are needed. You never, even have a R/W/X page.

      For Chrome, at least, you're completely wrong. Chrome (or more specifically V8) maps all code pages as RWX, then starts writing and modifying code in-place in those RWX pages. Having writable code is required for several V8 features, like inline caches and code garbage collection. Chrome is just as bad in this regard as Safari. However, it's not allowed to do this on iOS, only on desktops and Android (AFAIK).

  6. Re:Device is not relevant but OS version is. by ArcadeMan · · Score: 2

    And if it is via iOS 6 and Safari, that means all older devices are now unsafe to use as Web devices and Apple will probably never release a patch for them.

    --
    Get free satoshi (Bitcoin) and Dogecoins
  7. popular smartphones?? by Anonymous Coward · · Score: 1

    Including the Amazon fire phone? alrighty then.

  8. Re:Device is not relevant but OS version is. by mlts · · Score: 1

    If the hack results in a jailbreak, I'm sure there will be a patch or a workaround on Cydia. I remember this happening with a SSL issue a few years ago.

  9. Re:NFC attacks by mlts · · Score: 1

    Samsung did a decent job so far. It took a five digit bounty to even achieve root (much less a usable bootloader unlock) on the 5S using the towelroot exploit.

  10. Re:Device is not relevant but OS version is. by minstrelmike · · Score: 2

    If the hack results in a jailbreak, I'm sure there will be a patch or a workaround on Cydia. I remember this happening with a SSL issue a few years ago.

    Absolutely true. If the hack causes users to trash their old phone and buy a new one, well there's an incentive for the company to NOT fix the hack.
    OTOH, if the hack causes jailbreaking and the carrier loses money, now we're talking about terrorists trying to destroy the entire capitalist system.
    Incentives are very powerful.

  11. Amazon Fire phone is popular? by generic_screenname · · Score: 1

    Since when?

  12. Apple has released patches for "obsolete" OS by perpenso · · Score: 1

    And if it is via iOS 6 and Safari, that means all older devices are now unsafe to use as Web devices and Apple will probably never release a patch for them.

    Actually Apple has released patches for "obsolete" OS versions when a critical security bug has been found. Especially for OS versions that are the final version that some particular device can upgrade to. I believe iOS 6.1.6 was exactly such an upgrade eight months ago for the iPhone 3GS. I recall my circa 2008 MacBook receiving a patch for Mac OS X Lion 10.7 in recent months.