Mobile Pwn2Own 2013 Yields Exploits in Safari, Samsung S4 applications

Author: Brian Gorenc, Manager, Vulnerability Research, Zero Day Initiative, HP Security Research

Mobile Pwn2Own 2013 started out with a bang. HP’s Zero Day Initiative and competition co-sponsors Google and Blackberry awarded $67,500 USD for the disclosure of multiple 0-day vulnerabilities and exploit techniques in the Safari browser and mobile applications.  We are excited to bring Pwn2Own to Japan to see the breadth of research from across the world, including exploits which reveal techniques that can help internal security teams improve their mitigations.

As mobile technology advances, an abundance of new risks and vectors for security vulnerabilities is emerging.  From mobile browser to baseband process, this competition is designed to highlight researchers that are working to secure this area. We were lucky enough to have two teams in the first day from China and Japan demonstrate such risks.

In the mobile browser category, Keen Team, a group of security researchers from China, demonstrated two exploits on the iPhone 5 and won $27,500 USD. They first demonstrated an exploit against the Safari browser running on iOS 7.0.3, followed by another exploit on Safari running on iOS 6.1.4. These exploits allow a remote attacker to exfiltrate the cookie database and photos from Apple’s iPhone. More details on this exploit can be found here.

Japan’s very own Mitsui Bussan Secure Directions, Inc. demonstrated an exploit that leveraged vulnerabilities against several applications that are installed by default on the Samsung Galaxy S4. Combined, these bugs allow the silent installation of a malicious application and the theft of sensitive user data including SMS messages, contact list and web browsing history.  This successful attack netted them $40,000 USD. More details on that exploit can be found here.

All of the vulnerabilities and exploit techniques used today have been disclosed to the affected vendors. We have a couple researchers still actively developing exploit attempts and hopefully we will have more action tomorrow!

Additional Resources

HP Zero Day Initiative

The Zero Day Initiative (ZDI), founded by TippingPoint, is a program designed to reward security researchers for responsibly disclosing vulnerabilities.

HP Enterprise Security

Manage risk, mitigate threats and secure your business.