Two teams of Japanese "white hat" hackers have been declared victors at HP's Pwn2Own 2013 contest in Tokyo today for finding zero-day exploits that allowed them to compromise the Apple iPhone 5 and the Samsung Galaxy S4.
HP has just reported to Apple and Samsung how these exploits were carried out by the Keen Team and Mitsui Bussan Secure Directions team, respectively, so that fixes can be made. The Keen Team won $27,500 from HP for its efforts, and the Mitsui Bussan Secure Directions team won $40,000. Neither HP nor the winning teams will make the exact exploits available publicly.
The vulnerability discovered in the iPhone 5 using iOS 7 is an exploit against the Safari browser that lets the attacker "weaponize" the victim's phone by compromising it to steal contact data, photos, or carry out attacks such as taking over the victim's Facebook page, says Brian Gorenc, manager of vulnerability research in HP's security division for zero-day research. He adds that vulnerabilities were also discovered in the Apple iOS 6 platform as well related to Safari.
The vulnerability in the Samsung Galaxy S4 was carried out against at least one app that ships with the device, though HP is not saying exactly which one or ones. The vulnerabilities allow the attacker to wholly compromise the device in several ways, such as using a drive-by download to install malware on the phone. "They can do whatever they want" after that, says Gorenc. This might include stealing SMS messages on the phone, contact lists and more.
Gorenc says HP was glad to be able to have its Pwn2Own hacking competition for finding zero-day exploits in Tokyo this year so that it could have more direct interaction with security researchers with hacking skills in Asia, with most attendance coming from Japan and China.
The best-known Pwn2Own contest takes place annually at the CanSecWest conference.
Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail: [email protected]