The Apple iPhone 5 and Samsung's Galaxy S4 smartphones quickly fell prey to hackers at this year's Mobile Pwn2Own contest, held yesterday and today (Nov. 13-14) in Tokyo. Google's Nexus 4 phone and Microsoft's Surface RT tablet also were exploited.
Yesterday, Team MBSD from Japan got into a fully patched, non-rooted Galaxy S4 by pointing the device's browser at a rigged website, then chaining together multiple flaws in several pre-installed apps to install mobile malware and steal the registered user's personal information.
Other than the initial Web page load, no user action was required for this hack to work. The exploit was not of Android specifically, but of the apps that Samsung preloads onto the phone. (No additional apps were installed). For its trouble, Team MBSD won the Mobile Application/Operating System category and was awarded $40,000.
MORE: Mobile Security Guide: Everything You Need to Know
A recent study found that most Android security vulnerabilities stem not from the operating system itself, but from all the extra apps— sometimes referred to as "crapware" — that phone manufacturers add to phones before they're sold to customers. Samsung devices had the most vulnerabilities in the study, although the Galaxy S4 was not included.
Also yesterday, the Keen Team from China broke into a fully patched, non-jailbroken iPhone 5 running iOS 7.0.3 to steal user credentials. The three hackers on the team pointed the phone's Safari browser at a rigged Facebook page, then exploited a flaw in the WebKit rendering engine underlying Safari to steal the user's cookies, some of which stored login credentials.
The iPhone 5s and 5c were not tested, but would likely be vulnerable as well. Because the flaw was in WebKit, it's possible the same exploit would work in the Mac OS X version of Safari, as well as on other browsers and applications that use WebKit.
Competing in the Mobile Web Browser category, the Keen Team won only $27,500 rather than the full $40,000 for their category because their exploit did not escape the Safari "sandbox" to affect other iOS apps.
Today, two researchers from HP's Zero-Day Initiative bug-bounty program demonstrated an exploit of Microsoft's brand-new Internet Explorer 11 browser on a Surface RT tablet running Windows 8.1. The pair showed how to install potentially malicious software simply by pointing IE 11 at a rigged website.
No prize was awarded because Zero-Day Initiative, which rewards security researchers for finding software flaws, was hosting the Mobile Pwn2Own contest.
Lastly, teenage hacker Pinkie Pie, who has successfully cracked Google Chrome at previous Pwn2Own contests without ever revealing his real name, did it once again. (The original Pinkie Pie is a character from the TV cartoon "My Little Pony: Friendship Is Magic.")
Chaining together two Chrome vulnerabilities, Pinkie Pie used a rigged website to implant potentially malicious code on the Google Nexus 4. Then, for good measure, he did the same thing to the Samsung Galaxy S4.
For achieving "full sandbox escape" using Chrome, Pinkie Pie won the top $40,000 award in the Mobile Web Browser category, plus an extra $10,000 put up by Google for any hacker who could defeat Chrome on either the Nexus 4 or Galaxy S4. (He defeated both.)
However, a lot of potential prize money was left on the table as three other categories went untouched. Hacking a phone's baseband processor, which handles the physical radio transmissions to cellular towers, could have won someone $100,000.
Hacking a phone or tablet's instant-messaging systems could have earned $70,000, while achieving a short-distance hack via Bluetooth, Wi-Fi, near-field communications (NFC) or USB would have been worth $50,000.
The Mobile Pwn2Own contest took place at the PacSec 2013 security conference in Tokyo. The prize money was put up by BlackBerry and Google.
The desktop Pwn2Own 2014 contest will be held at the CanSecWest security conference in Vancouver, British Columbia, in March.
Follow Paul Wagenseil at @snd_wagenseil. Follow Tom's Guide at @tomsguide, on Facebook and on Google+.
