Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

iPhone 5, Galaxy S4 zero-day exploits revealed at HP Pwn2Own contest

Ellen Messmer | Nov. 14, 2013
Two Japanese hacking teams win over $67000 in prizes from HP for finding vulnerabilities.

Two teams of Japanese "white hat" hackers have been declared victors at HP's Pwn2Own 2013 contest in Tokyo today for finding zero-day exploits that allowed them to compromise the Apple iPhone 5 and the Samsung Galaxy S4.

Winners of the white hack
Team MBSD, of Mitsui Bussan Secure Directions after demonstrating Samsung application vulnerabilities at Mobile Pwn2Own

HP has just reported to Apple and Samsung how these exploits were carried out by the Keen Team and Mitsui Bussan Secure Directions team, respectively, so that fixes can be made. The Keen Team won $27,500 from HP for its efforts, and the Mitsui Bussan Secure Directions team won $40,000. Neither HP nor the winning teams will make the exact exploits available publicly.

The vulnerability discovered in the iPhone 5 using iOS 7 is an exploit against the Safari browser that lets the attacker "weaponize" the victim's phone by compromising it to steal contact data, photos, or carry out attacks such as taking over the victim's Facebook page, says Brian Gorenc, manager of vulnerability research in HP's security division for zero-day research. He adds that vulnerabilities were also discovered in the Apple iOS 6 platform as well related to Safari.

The vulnerability in the Samsung Galaxy S4 was carried out against at least one app that ships with the device, though HP is not saying exactly which one or ones. The vulnerabilities allow the attacker to wholly compromise the device in several ways, such as using a drive-by download to install malware on the phone. "They can do whatever they want" after that, says Gorenc. This might include stealing SMS messages on the phone, contact lists and more.

Gorenc says HP was glad to be able to have its Pwn2Own hacking competition for finding zero-day exploits in Tokyo this year so that it could have more direct interaction with security researchers with hacking skills in Asia, with most attendance coming from Japan and China.

The best-known Pwn2Own contest takes place annually at the CanSecWest conference


Sign up for CIO Asia eNewsletters.