At the Pwn2Own competition in Amsterdam security researchers unveiled two previously unknown zero day exploits on a Samsung Galazy S3 running Android 4.0.4. This allowed them to download all the data from the smartphone.
The guys from MWR Labs demonstrated how it is possible to utilise NFC (Near Field Communication) to beam an exploit between two S3s that are in close proximity.
“Through NFC it was possible to upload a malicious file to the device, which allowed us to gain code execution on the device and subsequently get full control over the device using a second vulnerability for privilege escalation. The same vulnerability could also be exploited through other attack vectors, such as malicious websites or e-mail attachments.”
At the same contest researchers from Certified Secure showed how to hack into an iPhone 4S -
“The hackers, Joost Pol and Daan Keuper, were able to find vulnerability in WebKit that allowed them to hi-jack photos, videos, address book contacts, and browsing history right from the phone. The two earned a $30,000 cash-prize for performing what they call ‘a clean hack.’”
- and -
“The attack relies on directing users to visit a malicious webpage which contains code that can circumvent security mechanisms in the Safari Web browser. The page is able to rifle through the user’s pictures, contacts information, and browsing history, and then transmit all that information to a remote server, all without the user’s knowledge.”
Fahmida Y. Rashid
So just how secure do you think your smartphone is??