Slashdot Mirror

← Back to Stories (view on slashdot.org)

Popular Smartphones Hacked At Mobile Pwn2Own 2014

Posted by timothy on from the keep-it-in-a-faraday-cage dept.

wiredmikey writes Researchers have hacked several popular smartphones during the Mobile Pwn2Own 2014 competition that took place alongside the PacSec Applied Security Conference in Tokyo this week. The competition, organized by HP's Zero Day Initiative (ZDI) targeted the Amazon Fire Phone, iPhone 5s, iPad Mini, BlackBerry Z30, Google Nexus 5 and Nexus 7, Nokia Lumia 1520, and Samsung Galaxy S5. Using various attacks, some Mobile Pwn2Own 2014 Pwnage included: Apple's iPhone 5s (hacked via the Safari Web browser, achieving a full sandbox escape); Samsung's Galaxy S5 (hacked multiple times using near-field communications attacks); Amazon's Fire Phone (Web browser exploited); Windows Phone (partial hacks using a browser attack), andthe Nexus 5 (a Wi-Fi attack, which failed to elevate privileges). All the exploits were disclosed privately to the affected companies. HP promised to reveal details in the upcoming weeks.

8 of 52 comments (clear)

  1. BlackBerry by Anonymous Coward · · Score: 3, Interesting

    So did they not hack the Z30, or did they not try?

  2. Bend? by ROBOT9001 · · Score: 3, Funny

    I heard the new iPhone 6 Plus exploits are very flexible.

  3. Physical Access = Game Over by rodrigoandrade · · Score: 5, Insightful

    Haven't we learned by now that physical access to a device steamrolls every security measure put in place?? Why are we still shocked and awed by headlines like these?

    1. Re:Physical Access = Game Over by NotInHere · · Score: 3, Interesting

      While its true that there is no way to prevent breaking in with physical access (even the "secure element" (an integrated sim card) can be hacked with proper technology), I can't see any attack in TFS that required physical access. A smartphone should be protected against a malicious wifi hotspot or NFC terminal, and I wouldn't regard communications with those as "physical access".

  4. Re:Device is not relevant but OS version is. by ArcadeMan · · Score: 2

    And if it is via iOS 6 and Safari, that means all older devices are now unsafe to use as Web devices and Apple will probably never release a patch for them.

    --
    Get free satoshi (Bitcoin) and Dogecoins
  5. Re:BlackBerry Z30 by Russ1642 · · Score: 2

    Why put in any effort to hack a Z30 when there are only eight of them in use?

  6. Re:Apple by Anonymous Coward · · Score: 2, Informative

    iOS Safari is "special" and is the only iOS app that's allowed to have writable, executable pages. (As it is the only app allowed to run the JavaScript JIT compiler.) It should come as no surprise that this means that it is the most obvious attack point, as it's the only iOS app that's allowed to run arbitrary code and that runs by default in a blatantly insecure configuration "for speed."

    I'd make fun of Apple for putting security behind performance, but having used Mobile Safari behind, instead I'll make fun of them for putting performance ahead of security and still making a slow, piece of crap mobile browser that can barely deal with a single page of HTML and becomes a slideshow once you throw even the tiniest amount of JavaScript at it.

  7. Re:Device is not relevant but OS version is. by minstrelmike · · Score: 2

    If the hack results in a jailbreak, I'm sure there will be a patch or a workaround on Cydia. I remember this happening with a SSL issue a few years ago.

    Absolutely true. If the hack causes users to trash their old phone and buy a new one, well there's an incentive for the company to NOT fix the hack.
    OTOH, if the hack causes jailbreaking and the carrier loses money, now we're talking about terrorists trying to destroy the entire capitalist system.
    Incentives are very powerful.