Sign in with
Sign up | Sign in

Apple iPhone 5, Samsung Galaxy S4 Fall to Hackers

By - Source: Tom's Guide US | B 12 comments

LAPTOP MagazineLAPTOP Magazine

The Apple iPhone 5 and Samsung's Galaxy S4 smartphones quickly fell prey to hackers at this year's Mobile Pwn2Own contest, held yesterday and today (Nov. 13-14) in Tokyo. Google's Nexus 4 phone and Microsoft's Surface RT tablet also were exploited.

Yesterday, Team MBSD from Japan got into a fully patched, non-rooted Galaxy S4 by pointing the device's browser at a rigged website, then chaining together multiple flaws in several pre-installed apps to install mobile malware and steal the registered user's personal information.

Other than the initial Web page load, no user action was required for this hack to work. The exploit was not of Android specifically, but of the apps that Samsung preloads onto the phone. (No additional apps were installed). For its trouble, Team MBSD won the Mobile Application/Operating System category and was awarded $40,000.

MORE: Mobile Security Guide: Everything You Need to Know

A recent study found that most Android security vulnerabilities stem not from the operating system itself, but from all the extra apps— sometimes referred to as "crapware" — that phone manufacturers add to phones before they're sold to customers. Samsung devices had the most vulnerabilities in the study, although the Galaxy S4 was not included.

Also yesterday, the Keen Team from China broke into a fully patched, non-jailbroken iPhone 5 running iOS 7.0.3 to steal user credentials. The three hackers on the team pointed the phone's Safari browser at a rigged Facebook page, then exploited a flaw in the WebKit rendering engine underlying Safari to steal the user's cookies, some of which stored login credentials.

The iPhone 5s and 5c were not tested, but would likely be vulnerable as well. Because the flaw was in WebKit, it's possible the same exploit would work in the Mac OS X version of Safari, as well as on other browsers and applications that use WebKit.

Competing in the Mobile Web Browser category, the Keen Team won only $27,500 rather than the full $40,000 for their category because their exploit did not escape the Safari "sandbox" to affect other iOS apps.

Today, two researchers from HP's Zero-Day Initiative bug-bounty program demonstrated an exploit of Microsoft's brand-new Internet Explorer 11 browser on a Surface RT tablet running Windows 8.1. The pair showed how to install potentially malicious software simply by pointing IE 11 at a rigged website.

No prize was awarded because Zero-Day Initiative, which rewards security researchers for finding software flaws, was hosting the Mobile Pwn2Own contest.

Lastly, teenage hacker Pinkie Pie, who has successfully cracked Google Chrome at previous Pwn2Own contests without ever revealing his real name, did it once again. (The original Pinkie Pie is a character from the TV cartoon "My Little Pony: Friendship Is Magic.")

Chaining together two Chrome vulnerabilities, Pinkie Pie used a rigged website to implant potentially malicious code on the Google Nexus 4. Then, for good measure, he did the same thing to the Samsung Galaxy S4.

For achieving "full sandbox escape" using Chrome, Pinkie Pie won the top $40,000 award in the Mobile Web Browser category, plus an extra $10,000 put up by Google for any hacker who could defeat Chrome on either the Nexus 4 or Galaxy S4. (He defeated both.)

However, a lot of potential prize money was left on the table as three other categories went untouched. Hacking a phone's baseband processor, which handles the physical radio transmissions to cellular towers, could have won someone $100,000.

Hacking a phone or tablet's instant-messaging systems could have earned $70,000, while achieving a short-distance hack via Bluetooth, Wi-Fi, near-field communications (NFC) or USB would have been worth $50,000.

The Mobile Pwn2Own contest took place at the PacSec 2013 security conference in Tokyo. The prize money was put up by BlackBerry and Google.

The desktop Pwn2Own 2014 contest will be held at the CanSecWest security conference in Vancouver, British Columbia, in March.

Follow Paul Wagenseil at @snd_wagenseil. Follow Tom's Guide at @tomsguide, on Facebook and on Google+.

Discuss
Ask a Category Expert

Create a new thread in the Streaming Video & TVs forum about this subject

Example: Notebook, Android, SSD hard drive

This thread is closed for comments
  • 1 Hide
    jimmysmitty , November 14, 2013 2:30 PM
    I am not surprised as the apps ask for all kinds of permissions and some don't even need them.

    What I find interesting is the iOS hack. Since its a flaw in Webkit, I wonder if this flaw could be used on Safari and Chrome since both browsers use Webkit. If so that means that even on PC or Mac it's not safe.
  • 5 Hide
    NightLight , November 14, 2013 2:43 PM
    look how pretty that s4 looks compared to the iphone...
  • 0 Hide
    house70 , November 14, 2013 2:51 PM
    I also find interesting the fact that Google is offering money to hackers (as prizes) to discover Chrome vulnerabilities. It's a smart tactic and pays off in the long run. If the other "hacked manufacturers" would do the same the Internet would be a much safer place.
    My SGS4 had the GE version of the OS, which had been on 4.3 for a long time and will get the 4.4 by the end of the year. No Samsung bloat on it. Of course, it would be nice to see which specific apps were vulnerable, because there is a way to disable these on a phone, even a non-rooted phone.
    I always read the permissions required when installing apps, and if something sounds fishy I never allow it to proceed. I've been using Android since the glorious days of Cupcake and never had any malware on any of my phones (TBH, I have never seen personally an infected Android phone, despite the apocalyptic previsions of this or that "expert").
  • Display all 12 comments.
  • 5 Hide
    burmese_dude , November 14, 2013 3:23 PM
    Carriers should stop installing $hitwares
  • 2 Hide
    jurassic512 , November 14, 2013 4:08 PM
    All "crapware" should have the ability to be uninstalled and re-downloaded if desired. Or since unlocked phones are allowed, their should be an option to get a phone crapware free from your provider before you have it in your hands. aka make it optional when you sign up.
  • 0 Hide
    guvnaguy , November 14, 2013 5:33 PM
    Were any Windows Phone 8 devices included in this? Curious to see how it compares. Otherwise, my next phone will be a pure version of Android.
  • 0 Hide
    ericburnby , November 14, 2013 6:18 PM
    So they never got out of the sandbox on the iPhone but were awarded a significant sum anyway? I would have thought the award would have been relative to the seriousness of the attack.
  • 0 Hide
    therealduckofdeath , November 14, 2013 8:16 PM
    @jimmysmitty

    Google forked their iteration of Webkit earlier this year and is now using an engine called Blink.
  • 1 Hide
    slomo4sho , November 15, 2013 12:02 AM
    So, moral of the story... don't visit potentially malicious sites and don't use stock browsers?
  • 0 Hide
    excursion , November 15, 2013 3:11 AM
    Android and IOS may have changed the look of it , but the code usually doesnt change much , if you leave a window open long enough something will eventually come through.
  • 0 Hide
    tobalaz , November 15, 2013 5:28 AM
    And this is why I flash a stock Android rom onto my phone and read permissions when I install apps.
    Really, there's too much bloatware/ crapware crammed onto our phones that doesn't need to be there.
    Flashing clean improves security, performance and battery life.
  • 0 Hide
    hoofhearted , November 15, 2013 7:04 AM
    setting -> application manager -> All -> <app from list> -> Disable,Force Stop,uncheck "Show notifications",Clear data

    This link has some nice crapware lists (there are probably other lists out there too):
    http://forum.xda-developers.com/showthread.php?t=2254143

    I just wish there was an Android DeCrapfier app. I'd buy that for a dollar :) 
Tom’s guide in the world
  • Germany
  • France
  • Italy
  • Ireland
  • UK
Follow Tom’s guide
Subscribe to our newsletter
  • add to twitter
  • add to facebook
  • ajouter un flux RSS