Mobile Pwn2Own 2014: iPhone 5s, Galaxy S5, Nexus 5, Fire Phone Hacked

Researchers hacked several of the latest popular smartphones during the Mobile Pwn2Own competition that took place alongside the PacSec Applied Security Conference in Tokyo on November 12-13.

The competition, organized by HP’s Zero Day Initiative (ZDI) and sponsored by BlackBerry and the Google Android Security team, targeted the Amazon Fire Phone, iPhone 5s, iPad Mini, BlackBerry Z30, Google Nexus 5 and Nexus 7, Nokia Lumia 1520, and Samsung Galaxy S5.

An HP spokesperson told SecurityWeek that the compromised iPhone 5s was running iOS 8.1.

According to HP, which prepared $425,000 in cash and prizes for the 2014 Mobile Pwn2Own, the first day of the competition started with a successful hack of Apple’s iPhone 5s. Members of the South Korean team lokihardt@ASRT “pwned” the device by using a combination of two vulnerabilities. They attacked the iPhone 5s via the Safari Web browser and achieved a full sandbox escape.

Later in the day, Team MBSD from Japan hacked Samsung’s Galaxy S5 by using a near-field communications (NFC) attack that trigger a deserialization issue in certain code specific to Samsung. Jon Butler of South Africa’s MWR InfoSecurity also managed to break the Galaxy S5 via NFC.

NFC was also utilized by UK-based researcher Adam Laurie from Aperture Labs to hack an LG Nexus 5.

 “A two-bug exploit targeting NFC capabilities on the LG Nexus 5 (a Google-supported device) demonstrated a way to force BlueTooth pairing between phones – a plot point, as several observers noted, on the television show ‘Person of Interest’,” Shannon Sabens, a senior security content developer at HP, wrote in a blog post summarizing the first day of Mobile Pwn2Own.

Kyle Riley, Bernard Wagner, and Tyrone Erasmus of MWR InfoSecurity used a combination of three vulnerabilities to break the Web browser on the Amazon Fire Phone.

On the second day of the competition, contestants only managed partial hacks. Nico Joly, who took part in Pwn2Own earlier this year with the French team VUPEN, attempted to “pwn” the browser running on Windows Phone (Nokia Lumia 1520). Joly managed to exfiltrate the cookie database, but the sandbox prevented him from taking complete control of the system.

Jüri Aedla of Estonia used a Wi-Fi attack against a Nexus 5, but failed to elevate his privileges, HP said.

All the exploits were disclosed privately to the affected companies. HP promised to reveal details in the upcoming weeks.

Related: iOS Security Issue Allows Attackers to Swap Good Apps for Bad Ones

Related: Metasploit Module Released for New UXSS Vulnerability in Android Browser

Related: “WireLurker” Malware Targets iOS, Mac OS X Users via Trojanized Applications

*Updated to add version of iOS running on the compromised iPhone 5s.