Partial success recorded in final day of the competition

Nov 13, 2014 23:15 GMT  ·  By

Mobile Pwn2Own hacking competition drew to an end on Thursday on a more cheerful note for the developers of Windows Phone and the Android operating system, as the hackers achieved their goal only partially.

As its name suggests, the contest is the mobile counterpart of Pwn2Own, organized by HP’s Zero-Day Initiative (ZDI), and it focuses on demonstrating zero-day exploits that can be used for taking complete control of the device.

No prizes for the second day contestants

In the last day of the event, Nico Joly, a veteran researcher from French security firm Vupen, tried his skills against a Lumia 1520 Windows Phone, attempting an exploit for the web browser in order to take complete control of the device.

However, the sandbox component prevented him from owning the phone and he only managed to exfiltrate the cookie database, which is a feat in itself as cookies can be used to access online accounts of an individual and make changes as if they were made by the owner.

The second competitor was Jüri Aedla, who took aim at Android conducting a WiFi-based attack (DHCP glitch permitted remote code execution) against a Nexus 5 running Android.

He was also unsuccessful in assuming control of the device, his attempts failing to elevate privileges beyond their original state; he did manage to demonstrate code execution though, by remotely launching the web browser.

Mobile Pwn2Own is sponsored this year by Google and Blackberry, which offered $425,000 / €341,500 in cash prizes. It was held in Tokyo at the PacSec security conference.

All competitors were successful in the first day of the event

During yesterday’s session the hackers successfully hijacked devices from Samsung (Galaxy S5), LG (Nexus 5), Apple (iPhone 5S) and Amazon (Fire Phone).

The Near Field Communication (NFC) technology was used as the attack vector in three of the cases, two of the attacks targeting Galaxy S5 (Jon Butler of South Africa’s MWR InfoSecurity and Team MBSD from Japan) and one being aimed at Nexus 5 by Adam Laurie from the UK’s Aperture Labs.

To compromise the iPhone, lokihardt@ASRT made use of two bugs in order to create a full sandbox escape in the Safari web browser.

In the case of Amazon Fire, a combination of three security glitches in the web browser was necessary to gain complete control of the device.

The prize for successful exploitation of the web browser is $50,000 / €40,000, the same as for leveraging a zero-day in a mobile application. NFC-based attacks are worth more, earning the hackers $75,000 / €60,000.

None of the exploits have been made public, as per the rules of the contest, but ZDI verified and validated them, taking immediate action to disclose them to the companies involved in the development of the affected products.

ZDI promised to provide details about the individual exploits used during the competition in the coming weeks.

Mobile Pwn2Own hacking competition (6 Images)

Nokia Lumia 1520 running Windows Phone
Internet Explorer on Lumia 1520IE sandbox preventing owning the device
+3more