Galaxy S3 and iPhone 4S exploited at Pwn2Own competition

By Lee Kaelin on September 20, 2012, 10:30 AM

Dutch security researchers were able to breach Apple’s mobile OS at a Pwn2Own competition during the EUSecWest security conference in Amsterdam, which opened its doors yesterday. The exploit used a zero-day vulnerability in iOS 5.1.1 and the Golden master of iOS 6 to sidestep Apple's code signing requirements as well as Safari's sandbox, enabling an attacker to steal a device's pictures, videos, address contacts and browsing history.

The exploit was successfully tested on the iPhone 4S, iPhone 4, iPad and iPod touch. But it isn't necessarily limited to these devices. “We specifically chose this one because it was present in iOS 6 which means the new iPhone coming out will be vulnerable to this attack,” Joost Pol, CEO of Certified Secure said.

While Pol wouldn’t reveal exactly how the exploit worked, he did say that Safari’s security mechanisms were circumvented simply by visiting a website. “We could embed the code in advertisements on news sites for example,” he said, adding that the code could be placed anywhere on a website and it would still work.

It took Pol and his colleague Daan Keuper about three weeks to develop the webkit browser exploit in their spare time. Among other prizes, they won $30,000 for demonstrating the working exploit as part of the competition. Pol still thinks the iPhone is the most secure smartphone available, but warned that Apple will have to come up with an update to patch this hole and users need to upgrade as fast as possible.

Security researchers also demonstrated two previously undiscovered zero-day exploits in Android 4.0.4 running on Samsung’s Galaxy S3 smartphone as part of the competition. “Through NFC it was possible to upload a malicious file to the device, which allowed us to gain code execution on the device and subsequently get full control over the device using a second vulnerability for privilege escalation,” MWR Labs said.

They used two vulnerabilities, the first of which caused memory corruption in order to gain limited control of the smartphone. From there they used a second to escalate privileges on the handset and breach the application sandbox. That allowed them to install Mercury, their Android assessment framework, and then extract user data from the device, such as SMS and contact information as well as make calls from the phone.

User Comments: 9

Got something to say? Post a comment
1 person liked this | Tygerstrike said:

Wow!! Why havent the cellphone makers hired these guys yet!!! They picked apart 2 of the hotest phones.

Leeky I just love your stories lol!!

You shine a light that illuminates the darkness of ignorance!!

PinothyJ said:

The more complicated a device the easier it is to break in :'(?

lipe123 said:

NFC is disabled by default on the S3 and then there is the obvious part that the "attacker" needs to have physical contact with your phone to execute it.

In that case he can just assault you physically, pick the phone up from the ground and save himself a lot of time.

Still I guess grasping at straws to make the S3 look as bad as the iphone is the norm.

Guest said:

Still I guess grasping at straws to make the iphone look as bad as the S3 is the norm.

Leeky Leeky said:

Leeky I just love your stories lol!!

You shine a light that illuminates the darkness of ignorance!!

Haha, Thanks @Tygerstrike.

RajeGera RajeGera said:

This is simply genius stuff..Just after some days of IPhone 5 release...Marvellous..

Guest said:

I'd like to know why Pol thinks the GS3 is less secure when the only exploit stated here required not only physical proximity but NFC to be turned on from default. Easily avoidable just by not keeping your NFC on.

Leeky Leeky said:

@guest above, Joost Pol said he believed it was the most secure, he wasn't basing his opinion on one or the other as a direct comparison, but his personal feelings about smartphones in general.

The article itself is about three separate, and undiscovered zero-day vulnerabilities: one with iOS, and two with the Galaxy S3 running Android 4.0.4. I agree that Samsung's could be mitigated by switching it off, but I've handled several new SGS3's now and all of them have been switched on by default -- so assuming this isn't just a coincidence it is a problem, as uniformed consumers wouldn't have any idea about NFC, nevermind how to turn it on or off.

I personally think NFC should be included in the top bar of the Android menu, alongside WiFi and the other functionality you can turn on and off. It shouldn't be buried in the settings > More Settings menu.

Tygerstrike said:


In all my years of retail even I know that this is a problem. Im guessing that they left this as default for something they have planned. Perhaps Samsung will see this and re write thier next update to set the NFC as switched off by default. If they dont they will have a definate problem as it is now a known issue.

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.