The results are in. After a week of competition at the HP-sponsored mobile Pwn2own event in Amsterdam, both iOS and Android proved to be vulnerable to new zero-day attacks.
HP awarded two sets of researchers with $30,000 each, for finding and successfully demonstrating the vulnerabilities on iOS and Android. HP had put $200,000 on the table looking for mobile browser, SMS and cellular baseband vulnerabilities. HP kept some of its prize money as other elements of the mobile technology landscape, including Blackberry and Cellular Baseband, were not exploited.
Was NFC Hacked?
One of the winners of HP’s prize money was for an exploit that leveraged NFC (near field communication) on a Samsung Galaxy Android smartphone. While the attack was delivered via NFC, it is important to note that the attack is not necessarily a vulnerability in NFC itself.
The winning team of researchers, from MWR Labs, used a technique first demonstrated by security research Charlie Miller earlier this year at the Black Hat USA event. Miller demonstrated that a feature known as Android Beam, which lets one user send an item to another without the need for the recipient to do anything, could be used to deliver an attack. In Miller’s case, he used NFC Beam to open the browser and trigger a WebKit vulnerability.
Brian Gorenc, manager, Zero Day Initiative, HP DVLabs, confirmed to eSecurity Planet that MWR Labs also used Beam as its medium for attack. That said, he stressed that the actual vulnerability is different than what Miller demonstrated.
“NFC is the delivery mechanism and the vulnerability itself is in a parser in the operating system,” Gorenc said.
As such, the same flaw could have potentially been triggered by delivery methods other than NFC, such as a simple email.
“The trick was to get the specific application that handled a specific file type to load and render a malicious document,” Gorenc said.
WebKit flaw on iOS
Security researchers Joost Pol and Daan Keuper from Certified Secure exploited a previously unreported WebKit flaw on an iPhone 4S. WebKit is the core underlying rendering engine used in Apple’s Safari Web browser on both iOS and Mac OS. WebKit is also used by Google for Chrome and Android.
While the researchers demonstrated their attack against an iPhone 4S running the latest version of iOS 5, Gronec noted that the new iPhone 5 and its iOS 6 operating system are also vulnerable. “Certified Secure did test against iOS 6 and they said it was still vulnerable,” he said.
Apple was not present at the pwn2own event, but Gronec said that HP will responsibly and privately disclose the issue to Apple so it can be fixed.