Thursday, 13 November 2014

Pay-by-bonk chip lets hackers pop all your favourite phones

Blood is flowing on the floor of the Pwn2Own challenge slaughterhouse, after whitehats hacked their way through an Apple iPhone 5S, Samsung Galaxy S5, LG Nexus 5 and Amazon Fire, most often by using Near Field Communications.
The annual contest backed by mobile giants BlackBerry and Google and run by HP's Zero Day Initiative vulnerability clearing house attracted a record number of entrants ensuring that all mobile phones were at least partially popped.
HP DVLabs manager Steve Povolny said in a blog the contestants had 30 minutes to execute their pre-planned exploits.
"Researchers from around the globe have travelled to (PacSec) Tokyo to compete in a live challenge, targeting one of several mobile categories, including NFC / short distance, mobile OS and browser," Povolny said.
Contestants had 30 minutes to demonstrate live exploits against the updated and unmodified devices running inside a Faraday cage to isolate signals.
South Korean hacker Lokihardt of the Advanced Security Research Team kicked off the event by popping Safari on an Apple iPhone 5S.
Japan's Team MBSD (Mitsui Bussan Secure Directions) and South Africa's MWR Labs hacked a Samsung Galaxy S5 over NFC by way of a deserialisation exploit and logical error, the former having popped the S4 at the 2013 event installing malware and stealing data.
The South African team of Kyle Riley, Bernard Wagner, and Tyrone Erasmus also p0wned an Amazon Fire phone installing their Drozer attack framework with full permissions through the use of three browser bugs.

Another Brit Adam Laurie of Aperture Labs also used NFC to bust a LG Nexus 5 through forced Bluetooth device pairings, a plot observers noted that was part of TV flick Person of Interest.
Frenchman Nico Joy pulled off a partial hack against the Nokia Lumia 1520 browser while Estonian Juri Aedla also part popped the Google Nexus 5 over WiFi.
MRW Labs laugh as Amazon's phone dies in Fire. © MWR Labs
Near Field Communications was "clearly the most popular" payload delivery vector for this year's competition, HP security bod Shannon Sabens writes.
The vulnerabilities were quietly shipped off to the respective vendors for patching while tens of thousands of dollars in prize money was handed out to successful hackers.

No comments:

Post a Comment