At this year's Mobile Pwn2Own event, which took place during the Applied Security Conference (PacSec) in Tokyo, the research arm of global consultancy MWR InfoSecurity, MWR Labs, won two different categories by exclusively demonstrating security flaws in both the Amazon Fire Phone and Samsung Galaxy S5.
One team of researchers from MWR Labs in South Africa exposed a remote code execution on the Amazon Fire Phone, while another team from MWR Labs in the UK exploited the Samsung Galaxy S5, enabling them to steal personal details.
The Zero Day Initiative (ZDI), host of the annual event, announced MWR Labs researchers, Bernard Wagner and Kyle Riley, from South Africa, won the Mobile Application/OS category, successfully demonstrating remote code execution on the Amazon Fire Phone through a Man-in-the-Middle attack. The researchers, based at MWR's South African office, have indicated that the exploit was possible due to a set of vulnerabilities within a pre-installed package on the device. To prove they were able to execute arbitrary code remotely, the criteria stipulated the researchers should be able to retrieve files from exploited devices ? such as SMS messages and photos ? without any user interaction. The prize for this category was $50 000.
"This is a fantastic accolade for the MWR Labs team in South Africa," said Harry Grobbelaar, MD of MWR InfoSecurity in South Africa. "It is undisputable proof of the talent MWR has been cultivating in the South African market, and the quality of our professional services, helping customers with all areas of cyber security."
In addition, from the UK, Robert Miller and Jonathan Butler won the Short Distance Category after they were able to demonstrate exploitation against the Samsung Galaxy S5 over Near Field Communication (NFC). They successfully retrieved personal information from the device, securing the win and $75 000.
"MWR is proud to receive these awards," said Ian Shaw, Group MD of MWR InfoSecurity. "Our researchers from across the globe work extremely hard; and entering competitions, such as Pwn2Own, are vitally important as it keeps us at the sharp edge of the industry.
"This work forms part of a wide-ranging programme of security research at MWR on a global scale and highlights the ongoing need for mobile developers and manufacturers to prioritise security, in order to keep customers safe."
The MWR Labs research also identified additional vulnerabilities, which will first be reported to Amazon and Samsung in the coming weeks. It intends to publish advisories in due course for these vulnerabilities on its Web site (https://labs.mwrinfosecurity.com/) in accordance with MWR's disclosure policy.
Share