Mobile security has been addressed several times this quarter; the conclusion was always the same there’s not enough being done to secure our smartphones. Whether it was from a lack of knowledge on the users end, or a reputable smartphone manufacture giving a false sense of security there was not enough attention being paid to the protection of our valuable smartphone data. Until now, Pwn2Own a security competition hosted the 19th and 20th of September has brought to the public’s attention their phones are far more vulnerable than once thought. Hosted by HP in Amsterdam the two days were filled with security exploits on new smartphones including the iPhone5.
Two Dutch security researches discovered by stringing together multiple vulnerabilities they could write an exploit exposing the entire contact list, photos, videos as well as browsing history. This exploit was conducted on the Iphone4S but the same vulnerabilities exist on the new iPhone5, iPad and iPod touch. The two security researchers built this exploit from scratch over a period of three weeks. After finishing the exploit they were quoted in saying “The iPhone is still the most advanced phone in terms of security.” Finally after winning $30,000.00 in the competition they gave the vulnerability over to Apple and destroyed all files and traces to this exploit on their machines.
Also being hacked at Pwn2Own was the Galaxy S3, an Android based device that still could not keep out determined crackers. The vulnerability exploited on the android device was a little more serious in that the attacker had full control over the phone. It was done with NFC (near field communication) which beamed the exploit from one Galaxy S to another. The same exploit was able to work on previous models of Samsung’s Galaxy smartphones.
The contest allowed researchers to collaborate with smartphone vendors in an effort to provide advancements in security to prevent future vulnerabilities and exploits. The details of vulnerabilities were only shared with the affected vendors. I’m not sure if there was any kind of non-disclosure agreement or not. If not then it’s kind of up in the air with that the security researchers tend to do with the exploit knowledge after the fact. The security researchers and crackers were paid and awarded prizes from the smartphone vendors. Computing companies should take note of competitions like this and have more in the future. If they award “smaller” sums now it may potentially save them larger financial sums later.