Pwn2Own! A smartphone hackathon.

Mobile security has been addressed several times this quarter; the conclusion was always the same there’s not enough being done to secure our smartphones. Whether it was from a lack of knowledge on the users end, or a reputable smartphone manufacture giving a false sense of security there was not enough attention being paid to the protection of our valuable smartphone data. Until now, Pwn2Own a security competition hosted the 19th and 20th of September has brought to the public’s attention their phones are far more vulnerable than once thought.  Hosted by HP in Amsterdam the two days were filled with security exploits on new smartphones including the iPhone5.

Two Dutch security researches discovered by stringing together multiple vulnerabilities they could write an exploit exposing the entire contact list, photos, videos as well as browsing history. This exploit was conducted on the Iphone4S but the same vulnerabilities exist on the new iPhone5, iPad and iPod touch. The two security researchers built this exploit from scratch over a period of three weeks. After finishing the exploit they were quoted in saying “The iPhone is still the most advanced phone in terms of security.” Finally after winning $30,000.00 in the competition they gave the vulnerability over to Apple and destroyed all files and traces to this exploit on their machines.

Also being hacked at Pwn2Own was the Galaxy S3, an Android based device that still could not keep out determined crackers. The vulnerability exploited on the android device was a little more serious in that the attacker had full control over the phone. It was done with NFC (near field communication) which beamed the exploit from one Galaxy S to another. The same exploit was able to work on previous models of Samsung’s Galaxy smartphones.

The contest allowed researchers to collaborate with smartphone vendors in an effort to provide advancements in security to prevent future vulnerabilities and exploits. The details of vulnerabilities were only shared with the affected vendors. I’m not sure if there was any kind of non-disclosure agreement or not. If not then it’s kind of up in the air with that the security researchers tend to do with the exploit knowledge after the fact. The security researchers and crackers were paid and awarded prizes from the smartphone vendors. Computing companies should take note of competitions like this and have more in the future. If they award “smaller” sums now it may potentially save them larger financial sums later.

Sources :

1)http://www.computerworld.com/s/article/9231448/Galaxy_S3_hacked_via_NFC_at_Mobile_Pwn2Own_competition

2)http://www.pcmag.com/article2/0,2817,2409903,00.asp?kc=PCRSS03069TX1K0001121&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+ziffdavis%2Fpcmag%2Fbreakingnews+%28PCMag.com+Breaking+News%29

3)http://www.zdnet.com/pwn2own-lesson-dont-thumb-nose-at-mobile-security-threats-7000004572/

4) http://www.zdnet.com/mobile-pwn2own-iphone-4s-hacked-by-dutch-team-7000004498/

Advertisements

10 thoughts on “Pwn2Own! A smartphone hackathon.

  1. This is how ‘grey hat’ cracking should work. Point at a target, and tell the people who can fix it right after. I wonder if someone could win enough of these to make a job out of it. That would be interesting.

  2. I agree with ssc1344’s comment. This is grey hat done right. Companies that are targeted for these competitions should pay close attention to these events, maybe even sponsor them. People working on the outside of companies think different than internal employees (Apple, please don’t sue me for saying “Think Different” without your permission). Hacking for pleasure not only quenches the needs of hackers, but helps patch security holes for companies. I hope to see more of these in the future.

  3. I find it interesting that this has not been done in the past. I know that these companies want to keep their vulnerabilities under wraps to ensure that the sales of their products don’t falter, but I find it extremely irresponsible for these companies to willingly sell faulty products without either warning the consumer, or expediting the patch process. If employing these outside “freelance” hackers/crackers is a possible solution for speeding this process up, I think that it should be done more, and it should be easier for people to do so.

  4. I agree with what the people posting before me said. These events also draw more attention to the vulnerability of something like smartphones. Even if people don’t understand how hacking a device works they still know about it and may be more willing to put some kind of security on them.

  5. This was a very interesting article, and I would like to see something like this at RIT sometime. It seems like a great way to build an impressive resume out of college or to find a co-op that pays really well or just making 30,000 dollars would be alright. Not to mention this could help businesses find great talent, and we might actually see the numbers regarding vulnerabilities in new technologies go down.

  6. I think this just supports the past two articles on the security of smartphones. Many people assume that nothing can go wrong and that they’re devices can’t be hacked, but they are obviously wrong. It’s nice to see that there are some hackers out there that are willing to do the right thing (even if they still are getting paid.)

  7. That prize money in my opinion is hilariously low compared to the losses that Apple could possibly have. Wouldn’t it be funny if the hackers in these competitions somehow went on some sort of strike to increase the prize pool? I guess you could argue that there are enough hackers in the world that the striking ones would just get replaced, but it’s a fun idea to think about.

    • I agree the prize money should be drastically increased. When the prize money is less than a year of tutition at R.I.T you know it’s too low.

  8. Phones are just not safe enough for us to be doing what we do today on them. As a smart phone owner you should understand that and avoid personal info use. Accept that ALL this stuff is insecure and take appropriate measures.

  9. I would like to see these competitions add a rooted or jailbroken section for testing. The majority of tech savy smart phone owners only keep their stock OS for so long before switching to a popular Android ROM or jailbroken Iphones. I mean come on, if your hacking into smart phones it’s time to void some warranties.

Comments are closed.