At the Pwn2Own competition, the Nexus 5, Samsung Galaxy S5 and iPhone 5S security exploited by whitehats.
HP’s annual 2-day festival, Pwn2Own saw the likes of flagship phones like Nexus 5, Samsung Galaxy S5 and iPhone 5S getting their security breached by ethical hackers, who were rewarded for pointing out flaws in the phones. The contest was organized by HP’s Zero-Day initiative and the festival came to a close on Wednesday, November 13, 2014.
The iPhone 5S was hacked by a South Korean group, who used two vulnerabilities in the device through the Safari browser. The group achieved a “full sandbox escape”. The entire event was sponsored by Google and BlackBerry, with the most advanced hack gaining $150,000, with a total pool of $425,000.
There were two separate teams from Japan and UK that were successfully able to hack into the security protocol of the Samsung S5. Both teams used the Near Field Communication (NFC) as a vector to exploit the system. One team used NFC to deserialize the device, they had full control over it. As for the Nexus 5, a group used an NFC exploit to force pair two phones through Bluetooth.
HP has announced that full details of the hack will be available in the coming few weeks. This is done in order to give the concerned companies enough time to figure out a solution to the vulnerabilities. The Windows phone was the only one at the festival that hackers were not able to gain full control of. The contestant was able to exfiltrate the database, but could not get past the sandbox.