Apple and Samsung have some fixing to do after Chinese and Japanese teams show of exploits
Apple’s Safari browser for the iPhone 5 and the Samsung Galaxy S4 have been exploited at the Mobile Pwn2Own competition in Japan, highlighting the threats facing the most popular smartphones in the world.
Chinese crew Keen Team were handed $27,000 (£17,000) for its two iPhone 5 exploits, which saw them steal Facebook credentials and hack into an account on the latest iOS version, 7.0.3, whilst making off with a photo they took of the audience on iOS version 6.1.4.
iPhone Pwn2Own hack
Both hacks would require user interaction, such as clicking on a link, but took no longer than five minutes to perform. Organisers from the HP Zero Day Initiative have informed Apple of the flaw, but the company had not responded to a request for comment at the time of publication.
“We disclosed both those vulnerabilites to Apple probably 30 minutes after the competition,” Brian Gorenc, HP’s manager of vulnerability research and head of the ZDI, told TechWeekEurope. “We’ll see how fast they turn a fix, that’s one of the fun things about this contest.
Keen Team are the first ever Chinese winners of any Pwn2Own competition.
Japanese hackers from Team MBSD, of Mitsui Bussan Secure Directions, were rewarded with $40,000, as their exploit went beyond just taking data from an application, allowing them to install malicious applications on a Samsung Galaxy S4.
A host of default apps on the Galaxy S4 were vulnerable and could again be exploited by convincing targets to visit malicious websites. With the malicious app installed on the Samsung phone, they were able to steal sensitive data, including contacts, bookmarks, browsing history, screenshots and text messages.
Samsung had not responded to a request for comment at the time of publication either.
“They combined the vulnerabilities, allowing them from a browser to remotely, silently install an application,” Gorenc added.
There is one more day left of the competition. The maximum a team can take away is $100,000 for a hack of a phone’s baseband processor, which handles radio signals. with a total of $300,000 on offer. Google and BlackBerry are also sponsoring Mobile Pwn2Own, which is taking place in Japan this week.
What do you know about Internet security? Find out with our quiz!