Despite headlines about rampant mobile insecurity, both Google Android and Windows Phone have withstood a cyber-battering in the 2014 Mobile Pwn2Own competition.
Two veteran security researchers, VUPEN’s Nico Joly and Jüri Aedla, were able to achieve partial pwnage of the two mobile operating systems, controlling one aspect of each. But neither were able to gain comprehensive control over the devices, according to event host HP’s recap of the annual event.
Joly, who refined his competition entry on the same laptop he won at this spring’s Pwn2Own in Vancouver, was the only competitor to target Windows Phone (the Lumia 1520). Using an exploit aimed at the browser, he was successfully able to exfiltrate the cookie database; however, the sandbox held and he was unable to gain full control of the system.
Aedla meanwhile, who had a successful Firefox attack in Vancouver this spring, attacked a Google Nexus 5 running Android, via Wi-Fi. However, he was unable to elevate his privileges further than their original level.
The partial exploits were confirmed by the Zero Day Initiative and disclosed to the affected companies.
In contrast, on the first day of the competition, five teams with five targets saw five successful attempts. In the process, nine bugs were exploited.
South Korean competition veterans lokihardt@ASRT had a two-bug combination that pwned the Apple iPhone 5S via the Safari browser, including a full Safari sandbox escape.
The second contest was the first of two consecutive (and successful) attempts against the Samsung Galaxy S5, which, while an Android device, was proved vulnerable via Samsung-specific flaws. The first effort, from Japan’s Team MBSD, used NFC as a vector to trigger a deserialization issue in certain code. And, Jon Butler of South Africa’s MWR InfoSecurity created an NFC exploit targeting a logical error that’s possible on the devices.
Adam Laurie from the UK’s Aperture Labs meanwhile had a two-bug exploit targeting NFC capabilities on the Android-based LG Nexus 5, which demonstrated a way to force Bluetooth pairing between phones.
Finally, a three-man MWR InfoSecurity team of Kyle Riley, Bernard Wagner and Tyrone Erasmus used a three-bug medley to attack Amazon Fire Phone’s web browser.