Attendees at the EuSecWest-sponsored World Security Professional Summit in Amsterdam are participating in a contest called Mobile Pwn2Own. Contestants are, yes, basically revealing that our mobile devices can be easily pwned by someone with the know-how. Quell your bubbling phone fanboy or fangirl rage right now: it looks like both Androids and iPhones are vulnerable. The Next Web describes the Android pwnage, which was partially done, by the way, via near-field communication, or NFC:
The 0day exploit was developed by four MWR Labs employees (two in South Africa and two in the UK) for a Samsung Galaxy S 3 phone running Android 4.0.4 (Ice Cream Sandwich). Two separate security holes were leveraged to completely takeover the device, and download all the data from it.
The first, a memory corruption flaw, was exploited via NFC (by holding two Galaxy S 3s next to each other) to upload a malicious file, which in turn allowed the team to gain code execution on the device. The attack isn’t limited to NFC though; it can also be abused via other attack vectors, such as malicious websites or email attachments.
A second malware infiltration gave attackers complete control over the Galaxy S 3. They gained the ability to transfer whatever data they wanted–emails, texts, photos–to wherever they wanted. The Next Web reports MWR Labs will publish a detailed blog post about the hacks only after the vulnerabilities have been eliminated.
The Dutch researchers who found a vulnerability in the iPhone 4S pursued the exploit because they felt the Apple product was a hard target. ZDNet reports on their exploit:
The hack, which netted a $30,000 cash prize at the mobile Pwn2Own contest here, exploited a WebKit vulnerability to launch a drive-by download when the target device simply surfs to a booby-trapped web site.
“It took about three weeks, starting from scratch, and we were only working on our private time,” says Joost Pol [...], CEO of Certified Secure, a nine-person research outfit based in The Hague. Pol and his colleague Daan Keuper used code auditing techniques to ferret out the WebKit bug and then spent most of the three weeks chaining multiple clever techniques to get a “clean, working exploit.”
The researchers couldn’t get everything a real hacker might be after. They managed to snag contacts, photos and videos and web-surfing data, but SMS and email records were too deeply encrypted to reach.
Mr. Pol and Mr. Keuper say the WebKit bug can be found in iOS 6 as well.
Mr. Pol also noted that if someone wanted to use the exploit “in the wild,” they could perhaps embed it in ad networks, which would be dangerous to all unwitting mobile web surfers.
Mr. Pol also sounded a warning every mobile user should hear, regardless of brand affiliation, telling ZDNet that CEOs “should never be doing email or anything of value on an iPhone or a BlackBerry.”