November 16, 2014 at 12:03Mobile Pwn2Own 2014: results
A few days ago, the famous Mobile Pwn2Own 2014 contest , which took place in Tokyo, ended . Vulnerability managers from security companies were invited to demonstrate the successful exploitation of vulnerabilities on well-known mobile devices, including Apple iPhone 5s & iPad Mini, Amazon Fire Phone, BlackBerry Z30, Google Nexus 5 & 7, as well as Nokia Lumia 1520 and Samsung Galaxy S5. Successful exploitation of vulnerabilities should lead to remote code execution in the mobile OS via the browser or gain control of the device through the built-in application / OS itself (iOS, Fire OS, BlackBerry OS, Android, Windows Phone). All OSs were shipped with the latest updates ( fully patched ).
So, for remote code execution through a browser or through the OS itself (with full access to the OS in all cases), $ 50K was offered, for the same thing at the level of Bluetooth, Wi-Fi and Near Field Communication (NFC) services - $ 70K . One of the main difficulties in demonstrating the exploit was the so-called. full sandbox escape , i.e., bypassing OS restrictions that are imposed on the mobile application to be operated, which does not allow remote code execution even if the vulnerability itself is present in the code, for example, a browser. To circumvent this security mechanism, as a rule, auxiliary OS vulnerabilities such as Elevation of Privelege are used , which help to obtain maximum rights in the system.
On the first day of the competitionall claimed devices were pwnage successfully. A well-known South Korean resident under the pseudonym lokihardt @ ASRT demonstrated successful code execution through the Safari browser with full access to the OS on the Apple iPhone 5S. Thus, he managed to find the RCE vulnerability in Safari, and also bypassed his iOS sandbox ( full Safari sandbox escape ). A similar situation occurred with the Samsung Galaxy S5, it was pwnage on the first attempt by team MBSD team members. Gaining control over the OS occurred through the NFC service. In total for the first day were hacked:
According to the results of the second day of the competition, the security sandbox mechanism resisted Windows Phone 8 (Nokia Lumia 1520). The VUPEN team was able to demonstrate the successful operation of the RCE exploit, that is, exploit the vulnerability in IE, and get some information about the user’s work, the cookie database. However, the sandbox mechanism was not bypassed, which prevented full access to the Windows Phone environment ( partial pwnage ).
The same fate touched another reseller, Jüri Aedla, who demonstrated partial pwnage of the Wi-Fi service in Android on Google Nexus 5. He was unable to capture full access over the device, since the exploit could not get around sandboxing in Android.
According to the rules of the competition, vulnerabilities demonstrated by the resellers are immediately sent to the respective vendors for their analysis and release of the corresponding update.
So, for remote code execution through a browser or through the OS itself (with full access to the OS in all cases), $ 50K was offered, for the same thing at the level of Bluetooth, Wi-Fi and Near Field Communication (NFC) services - $ 70K . One of the main difficulties in demonstrating the exploit was the so-called. full sandbox escape , i.e., bypassing OS restrictions that are imposed on the mobile application to be operated, which does not allow remote code execution even if the vulnerability itself is present in the code, for example, a browser. To circumvent this security mechanism, as a rule, auxiliary OS vulnerabilities such as Elevation of Privelege are used , which help to obtain maximum rights in the system.
On the first day of the competitionall claimed devices were pwnage successfully. A well-known South Korean resident under the pseudonym lokihardt @ ASRT demonstrated successful code execution through the Safari browser with full access to the OS on the Apple iPhone 5S. Thus, he managed to find the RCE vulnerability in Safari, and also bypassed his iOS sandbox ( full Safari sandbox escape ). A similar situation occurred with the Samsung Galaxy S5, it was pwnage on the first attempt by team MBSD team members. Gaining control over the OS occurred through the NFC service. In total for the first day were hacked:
- Apple iPhone 5S via Safari x 1 = $ 50K (lokihardt @ ASRT)
- Samsung Galaxy S5 via NFC x 2 = $ 150K (Team MBSD, MWR InfoSecurity)
- LG Nexus 5 via Bluetooth x 1 = $ 75K (Aperture Labs)
- Amazon Fire Phone via browser x 1 = $ 50K (MWR InfoSecurity)
According to the results of the second day of the competition, the security sandbox mechanism resisted Windows Phone 8 (Nokia Lumia 1520). The VUPEN team was able to demonstrate the successful operation of the RCE exploit, that is, exploit the vulnerability in IE, and get some information about the user’s work, the cookie database. However, the sandbox mechanism was not bypassed, which prevented full access to the Windows Phone environment ( partial pwnage ).
The same fate touched another reseller, Jüri Aedla, who demonstrated partial pwnage of the Wi-Fi service in Android on Google Nexus 5. He was unable to capture full access over the device, since the exploit could not get around sandboxing in Android.
According to the rules of the competition, vulnerabilities demonstrated by the resellers are immediately sent to the respective vendors for their analysis and release of the corresponding update.