Author: Heather Goudey, senior security content developer, HP
Our 2013 Mobile Pwn2Own contest, held in Tokyo at the recent PacSec conference, is over and we get to take a moment to reflect on what we’ve seen and what it means for us as vulnerability researchers and you as a user of mobile technology.
You never know exactly what’s going to happen at a Pwn2Own contest and this one was no different. We had three entrants bring their exploits to the arena to share their research and claim their prize (in total $117,500 USD). There were also researchers, heads down, frantically working on their PoCs over the course of the two days so that they could demonstrate them before the end of the contest. Would they be ready in time?
So what happened at the contest and what does it mean for you?
To kick things off, we had our first ever winning Chinese team present two different exploits against Safari. The first exploit demonstrated by the Keen Team resulted in the compromise and capture of Facebook credentials on iOS 7.0.3 while the second exploit against iOS 6.1.4 resulted in the theft of photos from the affected device. It’s not too much of a stretch to see where this capture of personal, sensitive details is going.
The second MBSD team’s exploit of multiple apps on the Samsung Galaxy S4 was described as ‘elegant’ by the researchers observing in the room. They were greeted by a surprised and respectful round of applause as malware was silently installed on the device and the data exfiltration payload was executed.
On day two, after an initial delay where we ensured that the targeted device was configured appropriately, again, within minutes, we witnessed a successful exploit on two different devices and paid $50,000 USD for the privilege. Pinkie Pie compromised Chrome on both a Nexus 4 and a Samsung Galaxy S4 just for good measure.
As well as showcasing the work of vulnerability researchers in the field, the HP ZDI team also demonstrated some of their own research to the PacSec conference delegates. Our own Abdul and Matt demonstrated an 0-day exploit against IE 11, Windows 8.1 on a Surface Pro. The demonstration took advantage of a use-after-free issue in IE 11 to leak an address allowing them to bypass ASLR and DEP. Abdul and Matt launched calc.exe from the browser and also demonstrated a weaponized metasploit module. (While the vulnerability has been disclosed responsibly to the vendor we are unable to provide further details at this time). The ZDI team also prepared an SMS fuzzer demonstration – a hello world for GSM and SDR.
The key takeaway is: the sensitive data you store on your mobile device is possibly not as safe as you think. There is an implicit level of trust that users bring to their use of mobile devices that may be somewhat misplaced. While the exploit of mobile devices isn’t exactly child’s play (or even remotely close – respect where it’s due) watching the professional and succinct exploits at the contest showed an endgame where the personal, sensitive, confidential, valuable data that you store on your mobile is just as vulnerable to compromise directly by attackers, or indirectly by malware, as the data you store anywhere else.
The data successfully exfiltrated at the contest was as sensitive as anything you would store anywhere, beyond a few choice details, and the vulnerabilities that were exploited to compromise that data were not trivial. This is not a contest for script kiddies – we saw some very professional and advanced vulnerability researchers from the Asia Pacific region showcasing their skills – but regardless, we can expect that exploits similar to those on show will appear in the wild (and most likely, already have but are as yet, undiscovered by the security industry).
We would like thank Dragos and the PacSec organizers, our sponsors – the Google Chrome and Android security teams and Blackberry – our contestants for sharing their research, and most especially, Japanese customs for not confiscating our gear – as strange as we must have looked.
Domo arigato
The ZDI team