Apple iPhone 5, Samsung Galaxy S4 Fall to Hackers

LAPTOP Magazine

LAPTOP Magazine

The Apple iPhone 5 and Samsung's Galaxy S4 smartphones quickly fell prey to hackers at this year's Mobile Pwn2Own contest, held yesterday and today (Nov. 13-14) in Tokyo. Google's Nexus 4 phone and Microsoft's Surface RT tablet also were exploited.

Yesterday, Team MBSD from Japan got into a fully patched, non-rooted Galaxy S4 by pointing the device's browser at a rigged website, then chaining together multiple flaws in several pre-installed apps to install mobile malware and steal the registered user's personal information.

Other than the initial Web page load, no user action was required for this hack to work. The exploit was not of Android specifically, but of the apps that Samsung preloads onto the phone. (No additional apps were installed). For its trouble, Team MBSD won the Mobile Application/Operating System category and was awarded $40,000.

MORE: Mobile Security Guide: Everything You Need to Know

A recent study found that most Android security vulnerabilities stem not from the operating system itself, but from all the extra apps— sometimes referred to as "crapware" — that phone manufacturers add to phones before they're sold to customers. Samsung devices had the most vulnerabilities in the study, although the Galaxy S4 was not included.

Also yesterday, the Keen Team from China broke into a fully patched, non-jailbroken iPhone 5 running iOS 7.0.3 to steal user credentials. The three hackers on the team pointed the phone's Safari browser at a rigged Facebook page, then exploited a flaw in the WebKit rendering engine underlying Safari to steal the user's cookies, some of which stored login credentials.

The iPhone 5s and 5c were not tested, but would likely be vulnerable as well. Because the flaw was in WebKit, it's possible the same exploit would work in the Mac OS X version of Safari, as well as on other browsers and applications that use WebKit.

Competing in the Mobile Web Browser category, the Keen Team won only $27,500 rather than the full $40,000 for their category because their exploit did not escape the Safari "sandbox" to affect other iOS apps.

Today, two researchers from HP's Zero-Day Initiative bug-bounty program demonstrated an exploit of Microsoft's brand-new Internet Explorer 11 browser on a Surface RT tablet running Windows 8.1. The pair showed how to install potentially malicious software simply by pointing IE 11 at a rigged website.

No prize was awarded because Zero-Day Initiative, which rewards security researchers for finding software flaws, was hosting the Mobile Pwn2Own contest.

Lastly, teenage hacker Pinkie Pie, who has successfully cracked Google Chrome at previous Pwn2Own contests without ever revealing his real name, did it once again. (The original Pinkie Pie is a character from the TV cartoon "My Little Pony: Friendship Is Magic.")

Chaining together two Chrome vulnerabilities, Pinkie Pie used a rigged website to implant potentially malicious code on the Google Nexus 4. Then, for good measure, he did the same thing to the Samsung Galaxy S4.

For achieving "full sandbox escape" using Chrome, Pinkie Pie won the top $40,000 award in the Mobile Web Browser category, plus an extra $10,000 put up by Google for any hacker who could defeat Chrome on either the Nexus 4 or Galaxy S4. (He defeated both.)

However, a lot of potential prize money was left on the table as three other categories went untouched. Hacking a phone's baseband processor, which handles the physical radio transmissions to cellular towers, could have won someone $100,000.

Hacking a phone or tablet's instant-messaging systems could have earned $70,000, while achieving a short-distance hack via Bluetooth, Wi-Fi, near-field communications (NFC) or USB would have been worth $50,000.

The Mobile Pwn2Own contest took place at the PacSec 2013 security conference in Tokyo. The prize money was put up by BlackBerry and Google.

The desktop Pwn2Own 2014 contest will be held at the CanSecWest security conference in Vancouver, British Columbia, in March.

Follow Paul Wagenseil at @snd_wagenseil. Follow Tom's Guide at @tomsguide, on Facebook and on Google+.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.

  • jimmysmitty
    I am not surprised as the apps ask for all kinds of permissions and some don't even need them.

    What I find interesting is the iOS hack. Since its a flaw in Webkit, I wonder if this flaw could be used on Safari and Chrome since both browsers use Webkit. If so that means that even on PC or Mac it's not safe.
  • NightLight
    look how pretty that s4 looks compared to the iphone...
  • house70
    I also find interesting the fact that Google is offering money to hackers (as prizes) to discover Chrome vulnerabilities. It's a smart tactic and pays off in the long run. If the other "hacked manufacturers" would do the same the Internet would be a much safer place.
    My SGS4 had the GE version of the OS, which had been on 4.3 for a long time and will get the 4.4 by the end of the year. No Samsung bloat on it. Of course, it would be nice to see which specific apps were vulnerable, because there is a way to disable these on a phone, even a non-rooted phone.
    I always read the permissions required when installing apps, and if something sounds fishy I never allow it to proceed. I've been using Android since the glorious days of Cupcake and never had any malware on any of my phones (TBH, I have never seen personally an infected Android phone, despite the apocalyptic previsions of this or that "expert").
  • burmese_dude
    Carriers should stop installing $hitwares
  • jurassic512
    All "crapware" should have the ability to be uninstalled and re-downloaded if desired. Or since unlocked phones are allowed, their should be an option to get a phone crapware free from your provider before you have it in your hands. aka make it optional when you sign up.
  • guvnaguy
    Were any Windows Phone 8 devices included in this? Curious to see how it compares. Otherwise, my next phone will be a pure version of Android.
  • ericburnby
    So they never got out of the sandbox on the iPhone but were awarded a significant sum anyway? I would have thought the award would have been relative to the seriousness of the attack.
  • therealduckofdeath

    Google forked their iteration of Webkit earlier this year and is now using an engine called Blink.
  • slomo4sho
    So, moral of the story... don't visit potentially malicious sites and don't use stock browsers?
  • excursion
    Android and IOS may have changed the look of it , but the code usually doesnt change much , if you leave a window open long enough something will eventually come through.