A team of South African and UK hackers has won big at the Mobile Pwn2Own competition in Amsterdam, The Netherlands.
The team, comprising four members of IT security company MWR InfoSecurity’s MWR Labs division, has won a US$30 0000 prize at the competition held at the EuSecWest Conference.
The four researchers found critical vulnerabilities in Android which they exploited over the phone’s Near Field Communications (NFC) functionality.
IT security researchers from all over the world participated in the competition which is held every year. Nils Sommer and Jonathan Butler from the firm’s UK office and Tyrone Erasmus and Jacques Louw from the company’s South Africa office, exploited a standard Samsung Galaxy SIII phone running Android 4.0.4 (Ice Cream Sandwich) by delivering a malicious file over the new S Beam feature, which uses the NFC functionality to send files between two phones.
“The demonstration at Pwn2Own allowed for the full compromise of the Samsung Galaxy SIII phone and installed a Trojan on the device which enabled them to dial any number, gather all SMS, email and data and gain full control of the device,” said Harry Grobbelaar, Managing Director of MWR InfoSecurity South Africa.
The attack was completed in two stages: first using an initial security vulnerability to execute a code on the device and then exploiting a further vulnerability using a customised version of Mercury, MWR’s Android security assessment framework, to take full control of the smartphone.
Researchers sent malformed data to the phone until it crashed, which allowed them to write new code until appropriate conditions to exploit the phone were found, including bypassing randomization of memory, bypassing non-executable memory protection that Android 4.0.4 Ice Cream Sandwich implements, Android’s latest platform for mobile devices, provides as well as reversing Samsung S-Beam to allow for the effective delivery of the file.
The same vulnerability could also be exploited through other attack vectors, such as malicious websites or email attachments.
Similar to the issues discovered and reported on in the Galaxy SII, these vulnerabilities again presented themselves due to insecure applications provided by the vendor and shipped with all the handsets.
“As a result of the fast adoption of mobile banking in South Africa and the rest of Africa, it is important that end-users treat their smart-phones as mobile computers and implement the same security measures as they would for a personal computer,” warned Harry Grobbelaar.
“The issues we found on the Galaxy SIII will exist on other vendors phones, this problem is not limited to Samsung.”
“Do not click on unrecognised email links, open unknown files, respond to text messages that ask for personal details or call numbers sent in text message requests from unknown numbers as these are known attack vectors that criminals are exploiting.”
“Even though exploitation is getting harder on modern platforms as a result of the use of exploit mitigation techniques it is still possible with a dedicated team working on it,” added Grobbelaar.
MWR Labs is the research arm of MWR InfoSecurity, which has offices in the UK and South Africa, and supplies services which support clients in identifying, managing and mitigating their Information Security risks.
Mobile Pwn2Own is run by HP TippingPoint Zero Day Initiative and is sponsored among others by Blackberry phone maker RIM and AT&T. The primary goal of the competition is to demonstrate the current security posture of the most prevalent mobile technologies in use today; including attacks on mobile web browsers, Near Field Communication (NFC), Short Message Service (SMS), and the cellular baseband; with an only requirement of using a current device running the latest operating system.