Our 2013 Mobile Pwn2Own contest, held in Tokyo at the recent PacSec conference, is over and we get to take a moment to reflect on what we’ve seen and what it means for us as vulnerability researchers and you as a user of mobile technology.

You never know exactly what’s going to happen at a Pwn2Own contest and this one was no different. We had three entrants bring their exploits to the arena to share their research and claim their prize (in total $117,500 USD). There were also researchers, heads down, frantically working on their PoCs over the course of the two days so that they could demonstrate them before the end of the contest. Would they be ready in time?

So what happened at the contest and what does it mean for you?

To kick things off, we had our first ever winning Chinese team present two different exploits against Safari. The first exploit demonstrated by the Keen Team resulted in the compromise and capture of Facebook credentials on iOS 7.0.3 while the second exploit against iOS 6.1.4 resulted in the theft of photos from the affected device. It’s not too much of a stretch to see where this capture of personal, sensitive details is going.

The second MBSD team’s exploit of multiple apps on the Samsung Galaxy S4 was described as ‘elegant’ by the researchers observing in the room. They were greeted by a surprised and respectful round of applause as malware was silently installed on the device and the data exfiltration payload was executed.

On day two, after an initial delay where we ensured that the targeted device was configured appropriately, again, within minutes, we witnessed a successful exploit on two different devices and paid $50,000 USD for the privilege. Pinkie Pie compromised Chrome on both a Nexus 4 and a Samsung Galaxy S4 just for good measure.

As well as showcasing the work of vulnerability researchers in the field, the HP ZDI team also demonstrated some of their own research to the PacSec conference delegates. Our own Abdul and Matt demonstrated an 0-day exploit against IE 11, Windows 8.1 on a Surface Pro. The demonstration took advantage of a use-after-free issue in IE 11 to leak an address allowing them to bypass ASLR and DEP.  Abdul and Matt launched calc.exe from the browser and also demonstrated a weaponized metasploit module. (While the vulnerability has been disclosed responsibly to the vendor we are unable to provide further details at this time). The ZDI team also prepared an SMS fuzzer demonstration – a hello world for GSM and SDR.

The key takeaway is:  the sensitive data you store on your mobile device is possibly not as safe as you think. There is an implicit level of trust that users bring to their use of mobile devices that may be somewhat misplaced. While the exploit of mobile devices isn’t exactly child’s play (or even remotely close – respect where it’s due) watching the professional and succinct exploits at the contest showed an endgame where the personal, sensitive, confidential, valuable data that you store on your mobile is just as vulnerable to compromise directly by attackers, or indirectly by malware, as the data you store anywhere else.

The data successfully exfiltrated at the contest was as sensitive as anything you would store anywhere, beyond a few choice details, and the vulnerabilities that were exploited to compromise that data were not trivial. This is not a contest for script kiddies – we saw some very professional and advanced vulnerability researchers from the Asia Pacific region showcasing their skills – but regardless, we can expect that exploits similar to those on show will appear in the wild (and most likely, already have but are as yet, undiscovered by the security industry).

We would like thank Dragos and the PacSec organizers, our sponsors – the Google Chrome and Android security teams and Blackberry – our contestants for sharing their research, and most especially, Japanese customs for not confiscating our gear – as strange as we must have looked.

Domo arigato
The ZDI team

The post Mobile Pwn2Own Tokyo 2013 – Crash bang boom appeared first on PWN2OWN.

Day two of Mobile Pwn2Own and after a quiet morning wondering whether the remaining registered contestants would be ready, we had another competitor enter the fray to take a stab at Chromium on the Nexus 4.

After an initial delay where we ensured that the targeted device was configured appropriately, again, within minutes, we had witnessed a successful exploit on two different devices and were ready to pay $50,000 USD for the privilege. Pinkie Pie compromised Chrome on both a Nexus 4 and a Samsung Galaxy S4 just for good measure.

The exploit took advantage of two vulnerabilities – an integer overflow that affects Chrome and another Chrome vulnerability that resulted in a full sandbox escape. The implications for this vulnerability are the possibility of remote code execution on the affected device.

After demonstrating on the Nexus 4, Pinkie Pie turned his attentions to the Samsung Galaxy S4 and within moments it had fallen as well, to be met with applause from the watching crowd.

Similar to the exploits we saw on day one of our contest, in order for the user’s device to be successfully compromised, they would need to be enticed to visit a malicious site in order to be exposed to the malicious code. Again the attack depends on first compromising the user to get them to take an action (e.g. clicking a link in an email, or an SMS or on another web page) and then compromising the device by exploiting these vulnerabilities. The final outcome would be the remote execution of code of an attacker’s choice.

This vulnerability has been disclosed to Google who is working to address.

The post Chrome on a Nexus 4 and Samsung Galaxy S4 falls appeared first on PWN2OWN.

Mobile Pwn2Own 2013 started out with a bang. HP’s Zero Day Initiative and competition co-sponsors Google and Blackberry awarded $67,500 USD for the disclosure of multiple 0-day vulnerabilities and exploit techniques in the Safari browser and mobile applications.  We are excited to bring Pwn2Own to Japan to see the breadth of research from across the world, including exploits which reveal techniques that can help internal security teams improve their mitigations.

As mobile technology advances, an abundance of new risks and vectors for security vulnerabilities is emerging.  From mobile browser to baseband process, this competition is designed to highlight researchers that are working to secure this area. We were lucky enough to have two teams in the first day from China and Japan demonstrate such risks.

In the mobile browser category, Keen Team, a group of security researchers from China, demonstrated two exploits on the iPhone 5 and won $27,500 USD. They first demonstrated an exploit against the Safari browser running on iOS 7.0.3, followed by another exploit on Safari running on iOS 6.1.4. These exploits allow a remote attacker to exfiltrate the cookie database and photos from Apple’s iPhone. More details on this exploit can be found here.

Japan’s very own Mitsui Bussan Secure Directions, Inc. demonstrated an exploit that leveraged vulnerabilities against several applications that are installed by default on the Samsung Galaxy S4. Combined, these bugs allow the silent installation of a malicious application and the theft of sensitive user data including SMS messages, contact list and web browsing history.  This successful attack netted them $40,000 USD. More details on that exploit can be found here.

All of the vulnerabilities and exploit techniques used today have been disclosed to the affected vendors. We have a couple researchers still actively developing exploit attempts and hopefully we will have more action tomorrow!

The post Mobile Pwn2Own 2013 Yields Exploits in Safari, Samsung S4 applications appeared first on PWN2OWN.

Japan’s very own Team MBSD, of Mitsui Bussan Secure Directions, Inc., have demonstrated exploits against several applications installed by default on the Samsung Galaxy S4. Combined, these bugs allow the covert installation of a malicious application and the theft of sensitive data. The spoils for their hard work? A cool $40,000.

This team exploited multiple apps, installed by default on the Samsung Galaxy S4 to install malware and steal confidential data. In order for the exploit to be successful, the affected user must first be lured to an attacker-controlled malicious website. However, from there, no more user interaction is required and an attacker can install arbitrary applications of their choice with system-level privileges on the user’s device.

In this case, the payload was the capture and exfiltration of sensitive data including the affected user’s contacts, bookmarks, browsing history, screen shots, SMS messages, etc.

The implications for this exploit are worrisome. While you may be reticent to click on links (heeding the commonly-given, if somewhat ridiculous advice to ‘click carefully’) it is unlikely that you assess risk and use caution the same way on your mobile devices as you do on your desktop. The message here, however, is clear – mobile platforms are vulnerable to the same or very similar methods of malware distribution that plague the desktop and you would be wise to take heed.

This vulnerability was disclosed to Samsung in the chamber of disclosures and they will be working to address.

The post Local Japanese team exploits mobile applications to install malware on Samsung Galaxy S4 appeared first on PWN2OWN.

We have our first winner! In the mobile browser category, Keen Team (from Keen Cloud Tech) demonstrated two iPhone exploits via Safari. The team of eight from China didn’t compromise the sandbox so they will be splitting the $27,500 as compensation.

In a world where social media is thoughtlessly ubiquitous, the Keen Team, with remarkable ease, demonstrated two exploits that were a wake-up call to those who share their personal information on mobile devices.

The team demonstrated two exploits against Safari on an iPhone 5 with the following results:

• Captured Facebook credentials on iOS version 7.0.3
• Stole a photo on iOS version 6.1.4

Note that these phones are NOT jail-broken.

The first was an application exploit. Via Safari, the team were able to steal a Facebook cookie that was then exfiltrated and used to compromise the targeted Facebook account from another machine. In order for the exploit to work, a user would need to click on a link in an email, an SMS, or a web page, so some social engineering would be required to prompt a user to take an action before their credentials could be compromised.

Regardless, this was a lesson to be careful with what personal details you share online and to think twice before you click.

The second was another Safari exploit and it took a little longer due to technical difficulties (we forgot to plug their laptop in). In this case the vulnerability in Safari was exploitable due to issues with the permissions model. Keen Team was able to access photos stored on the device. Again, in order to be successful the affected user would need to click on a link.

Both exploit demonstrations took no more than 5 minutes to achieve.

To the best of our knowledge, these vulnerabilities do not affect Blink (a rendering engine for the Chromium project).

The vulnerabilities have been disclosed to Apple and Google, and they’ll be working to research and remediate these issues as applicable. (The vulnerability was disclosed to Google in order to verify that Blink, and thus Chrome, was not affected).

Keen Team was represented by Daniel Wang, James Fang and Liang Chen. This team also includes Wu Shi, a former external ZDI platinum researcher, renowned for spotting a broad range of vulnerabilities on multiple platforms. Keen Team are the first Chinese team to win at Pwn2Own.

Up next, Takeshi Terada and Tomonori Shiomi, of Mitsui Bussan Secure Directions, Inc. are attempting exploits against several applications installed by default on the Samsung Galaxy S4.

A reminder of the Pwn2Own rules and regulations can be found here.

The post Keen Team exploits Safari in mobile browser category appeared first on PWN2OWN.

Ohayo gozaimas! Welcome to the second annual HP ZDI Mobile Pwn2Own competition at PacSec in Tokyo. We have a big day of mobile pwnage planned and we’ll be posting updates with the results as the devices fall.

Just to remind you, Mobile Pwn2Own is an annual contest that rewards security researchers for highlighting security concerns on mobile platforms. The contest focuses on hardening the mobile attack surface through cutting edge research and responsible disclosure.

HP and its sponsors (the Google Android and Chrome security teams, and Blackberry) are offering over $300,000 (USD) in cash and prizes to researchers who successfully compromise selected mobile targets from particular categories.

We have several competitors entering the fray this year targeting different technologies and devices. Specifically in their sights today are the Samsung Galaxy S4 and the iPhone and exploits that target mobile apps and the browser.

Want more detail? Want less? Like your information in short, digestible chunks of 140 characters or less? We’ll also be tweeting regular updates and news on Mobile Pwn2Own during the contest. You can follow us @thezdi on Twitter or search for the hash tag #pwn2own.

For those of you who prefer your news and information in a more graphical format, we also have a dedicated website where you can actually see all the action and meet the contestants. It might not be quite as much fun as being at PacSec in Tokyo in person, but it’s pretty darn close.

Without further ado, let the contest begin!

The post Welcome to Mobile Pwn2Own at PacSec Tokyo – Super, happy fun appeared first on PWN2OWN.

Choose your target now

Contestants are allowed to select the target they wish to compromise during the pre-registration process.  The exact OS version, firmware and model numbers will be coordinated with the pre-registered contestants. The following targets are available for selection:

• Nokia Lumia 1020 running Windows Phone
• Microsoft Surface RT running Windows RT
• Samsung Galaxy S4 running Android
• Apple iPhone 5 running iOS
• Apple iPad Mini running iOS
• Google Nexus 4 running Android
• Google Nexus 7 running Android
• Google Nexus 10 running Android
• BlackBerry Z10 running BlackBerry 10

** Google’s Chrome Security Team, in conjunction with the Chrome on Android team, is sponsoring a top-up reward for the Mobile Web Browser category. If a contestant successfully compromises Chrome on Android, either on Google Nexus 4 or Samsung Galaxy S4, the prize amount will be bumped by $10k to make it a total of $50,000.  There may be additional winners in the Mobile Web Browser category if the contestant is specifically targeting Chrome on Android, either on the Google Nexus 4 or Samsung Galaxy S4.

This year’s Mobile Pwn2Own contest is offering the following prizes to the first contestant who successfully compromises their mobile target in the following categories:

• Short Distance/Physical Access ($50,000), either:
  • Bluetooth, or
  • Wi-Fi, or
  • Universal Serial Bus (USB), or
  • Near Field Communication (NFC)
• Mobile Web Browser ($40,000) **
• Mobile Application/Operating System ($40,000)
• Messaging Services ($70,000), either:
  • Short Message Service (SMS), or
  • Multimedia Messaging Service (MMS), or
  • Commercial Mobile Alert System (CMAS)
• Baseband ($100,000)

Enter today!

The deadline to register is fast approaching. Don’t delay, enter today! The contest is open to all delegates at the PacSec 2013 conference (as long as you meet our rather inclusive eligibility requirements).  You can even use a proxy at the conference if you are unable to attend in person.

Start by reviewing the contest rules, here. Next, if you don’t already have a free ZDI researcher account, you need to sign-up here. When you’re all signed up as a ZDI researcher, it’s simply a matter of contacting us to register for the contest.

Please direct all press inquiries for HP Security Research/ZDI to: Cassy Lalan <[email protected]>.

Want to know more?

If you missed it above, the full contest rules are here. We’ll also be tweeting regular updates and news on Mobile Pwn2Own up to and during the contest. You can follow us @thezdi on Twitter or search for the hash tag #pwn2own.

Sponsors

The post Mobile Pwn2Own: Targets await, Register today! appeared first on PWN2OWN.

Start going through your mobile device crashes!

Mobile Pwn2Own is an annual contest that rewards security researchers for highlighting security concerns on mobile platforms. The contest focuses on hardening the mobile attack surface through great research and responsible disclosure. It’s the sister contest to ZDI’s Pwn2Own contest, which is now in its seventh year and a regular feature at CanSecWest.

HP and its sponsors are offering over $300,000 (USD) in cash and prizes to researchers who successfully compromise selected mobile targets from particular categories. Contestants will be judged on their ability to uncover new vulnerabilities and develop cutting edge exploit techniques to compromise some of the most popular mobile devices.

This year’s Mobile Pwn2Own contest is offering the following prizes to the first contestant who successfully compromises their mobile target in the following categories:

• Short Distance/Physical Access ($50,000), either:
  • Bluetooth, or
  • Wi-Fi, or
  • Universal Serial Bus (USB), or
  • Near Field Communication (NFC)
• Mobile Web Browser ($40,000) **
• Mobile Application/Operating System ($40,000)
• Messaging Services ($70,000), either:
  • Short Message Service (SMS), or
  • Multimedia Messaging Service (MMS), or
  • Commercial Mobile Alert System (CMAS)
• Baseband ($100,000)

Contestants are allowed to select the target they wish to compromise during the pre-registration process.  The exact OS version, firmware and model numbers will be coordinated with the pre-registered contestants. The following targets are available for selection:

• Nokia Lumia 1020 running Windows Phone
• Microsoft Surface RT running Windows RT
• Samsung Galaxy S4 running Android
• Apple iPhone 5 running iOS
• Apple iPad Mini running iOS
• Google Nexus 4 running Android
• Google Nexus 7 running Android
• Google Nexus 10 running Android
• BlackBerry Z10 running BlackBerry 10

** Google’s Chrome Security Team, in conjunction with the Chrome on Android team, is sponsoring a top-up reward for the Mobile Web Browser category. If a contestant successfully compromises Chrome on Android, either on Google Nexus 4 or Samsung Galaxy S4, the prize amount will be bumped by $10k to make it a total of $50,000.  There may be additional winners in the Mobile Web Browser category if the contestant is specifically targeting Chrome on Android, either on the Google Nexus 4 or Samsung Galaxy S4.

How do I enter?

The contest is open to all delegates at the PacSec 2013 conference (as long as you meet our rather inclusive eligibility requirements).  You can even use a proxy at the conference if you are unable to attend in person.

Start by reviewing the contest rules, here. Next, if you don’t already have a free ZDI researcher account, you need to sign-up here. When you’re all signed up as a ZDI researcher, it’s simply a matter of contacting us to register for the contest.

Please direct all press inquiries for HP Security Research/ZDI to: Cassy Lalan <[email protected]>.

More importantly, how do I win?

Be the first to compromise a selected target in one of the categories using a previously unknown vulnerability (one that has not been disclosed to the affected vendor). You’ve got 30 minutes to complete your attempt. When you’ve successfully demonstrated your exploit and ‘pwned’ the targeted device, you need to provide ZDI with a fully functioning exploit and a whitepaper detailing all of the vulnerabilities and techniques utilized in your attack.

A successful attack against these devices must require little or no user interaction and the initial vulnerability used in the attack must be in the registered category.  The contestant must demonstrate remote code execution by bypassing sandboxes (if applicable) and exfiltrating sensitive information, silently calling long-distance numbers, or eavesdropping on conversations. To avoid interfering with licensed carrier networks, all RF attacks must be completed within the provided RF isolation enclosure.  The vulnerabilities utilized in the attack must be unpublished 0-days.

As always, ZDI reserves the right to determine what constitutes a successful attack.

The vulnerabilities and exploit techniques discovered by the winning researchers will be disclosed to the affected vendors. If the affected vendor is at the conference and happy to parlay, we can even arrange to hand over the vulnerability details onsite for the fastest possible remediation.

Want to know more?

If you missed it above, the full contest rules are here. We’ll also be tweeting regular updates and news on Mobile Pwn2Own up to and during the contest. You can follow us @thezdi on Twitter or search for the hash tag #pwn2own.

Sponsorships

The post Mobile Pwn2Own 2013 appeared first on PWN2OWN.