Back in March, the Pwn2Own 2013 contest took place to coincide with CanSecWest. This past week, the second annual Mobile Pwn2Own was held in Tokyo at the PacSec conference.
HP and other sponsors like Google’s Android and Chrome teams along with Blackberry are willing to shell out over $300,000 in cash and prizes to those that successfully compromise the chosen targets. Those targets include the Samsung Galaxy S4, the iPhone 5, Microsoft’s Surface RT along with mobile apps and the browser. The vulnerabilities demonstrated at Mobile Pwn2Own were disclosed to the affected vendors.
This year’s Mobile Pwn2Own contest is offering the following prizes to the first contestant who successfully compromises their mobile target in the following categories:
- Short Distance/Physical Access ($50,000), either:
- Bluetooth, or
- Wi-Fi, or
- Universal Serial Bus (USB), or
- Near Field Communication (NFC)
- Mobile Web Browser ($40,000) **
- Mobile Application/Operating System ($40,000)
- Messaging Services ($70,000), either:
- Short Message Service (SMS), or
- Multimedia Messaging Service (MMS), or
- Commercial Mobile Alert System (CMAS)
- Baseband ($100,000)
Contestants are allowed to select the target they wish to compromise during the pre-registration process. The exact OS version, firmware and model numbers will be coordinated with the pre-registered contestants. The following targets are available for selection:
- Nokia Lumia 1020 running Windows Phone
- Microsoft Surface RT running Windows RT
- Samsung Galaxy S4 running Android
- Apple iPhone 5 running iOS
- Apple iPad Mini running iOS
- Google Nexus 4 running Android
- Google Nexus 7 running Android
- Google Nexus 10 running Android
- BlackBerry Z10 running BlackBerry 10
Drawing from the Zero Day Initiative Twitter and the official HP Pwn2Own website, these are the results compiled onto one page:
The Keen Team, from China, successfully exploited Safari on a non-jailbroken iPhone 5 by capturing Facebook credentials on iOS 7.0.3 and copying a photo from iOS 6.1.4. More details.
Team MBSD, from Japan, successfully exploited several default applications on the Samsung Galaxy S4 just by getting the person to visit a malicious site. With that access, they installed malware and stole confidential data. More details.
Pinkie Pie compromised Chrome on both the Nexus 4 and the Samsung Galaxy S4 taking advantage of an integer overflow and another vulnerability to do a full sandbox escape. More details.
There was an effort to exploit Internet Explorer 11 on Windows 8.1 but it doesn’t seem that it was successful during the contest. More details.