Zero Day Vulnerabilities On Galaxy SIII And iPhone At Pwn2Own

At the Pwn2Own competition in Amsterdam security researchers unveiled two previously unknown zero day exploits on a Samsung Galazy S3 running Android 4.0.4. This allowed them to download all the data from the smartphone.

The guys from MWR Labs demonstrated how it is possible to utilise NFC (Near Field Communication) to beam an exploit between two S3s that are in close proximity.

“Through NFC it was possible to upload a malicious file to the device, which allowed us to gain code execution on the device and subsequently get full control over the device using a second vulnerability for privilege escalation. The same vulnerability could also be exploited through other attack vectors, such as malicious websites or e-mail attachments.”

S3 zero day

At the same contest researchers from Certified Secure showed how to hack into an iPhone 4S –

“The hackers, Joost Pol and Daan Keuper, were able to find vulnerability in WebKit that allowed them to hi-jack photos, videos, address book contacts, and browsing history right from the phone. The two earned a $30,000 cash-prize for performing what they call ‘a clean hack.'”

– and –

“The attack relies on directing users to visit a malicious webpage which contains code that can circumvent security mechanisms in the Safari Web browser. The page is able to rifle through the user’s pictures, contacts information, and browsing history, and then transmit all that information to a remote server, all without the user’s knowledge.”
Fahmida Y. Rashid

So just how secure do you think your smartphone is??

About Lee Munson

Lee's non-technical background allows him to write about internet security in a clear way that is understandable to both IT professionals and people just like you who need simple answers to your security questions.

Speak Your Mind