MWR InfoSecurity has won the prestigious Mobile Pwn2Own competition, held at the EuSecWest Conference, in Amsterdam, on 19 September.
Four researchers from MWR Labs, the company's research arm, found critical vulnerabilities in Android's Near Field Communications (NFC) functionality that could leave millions of users at risk.
IT security experts from all over the world participated in the competition, which is held every year. Nils Sommer and Jonathan Butler from the firm's UK office, and Tyron Erasmus and Jacques Louw from the company's South African office, exploited a standard, out-of-the-box Samsung Galaxy SIII phone running Android's latest operating system, by delivering a malicious file over the new S Beam feature, which uses the NFC functionality to send files between two phones.
“The demonstration at Pwn2Own allowed for the full compromise of the Samsung Galaxy SIII phone and installed a Trojan on the device, which enabled them to dial any number, gather all SMS, e-mail and data and gain full control of the device,” said Harry Grobbelaar, Managing Director of MWR InfoSecurity South Africa.
“This exploit could work on any Samsung Galaxy SIII smartphone sold in the world,” added Grobbelaar. “If exploited, many users could be at risk.”
The attack was completed in two stages: first using an initial security vulnerability to execute a code on the device; and then exploiting a further vulnerability using a customised version of Mercury, MWR's Android security assessment framework, to take full control of the smartphone.
Researchers sent malformed data to the phone until it crashed, which allowed them to write new code until appropriate conditions to exploit the phone were found, including bypassing randomisation of memory, getting the processor in the right state, bypassing non-executable memory protection and working around input restrictions that Android 4.0.4 Ice Cream Sandwich, Android's latest platform for mobile devices, provides, as well as reversing Samsung S-Beam to allow for the effective delivery of the file.
The same vulnerability could also be exploited through other attack vectors, such as malicious Web sites or e-mail attachments.
Similarly to the issues discovered and reported on in the Galaxy SII, these vulnerabilities again presented themselves due to insecure applications provided by the vendor and shipped with all the handsets.
“As a result of the fast adoption of mobile banking in South Africa and the rest of Africa, it is important that end-users treat their smartphones as mobile computers, and implement the same security measures as they would for a personal computer,” warned Harry Grobbelaar.
“Do not click on unrecognised e-mail links, open unknown files, respond to text messages that ask for personal details or call numbers sent in text message requests from unknown numbers, as these are known attack vectors that criminals are exploiting.”
“Even though exploitation is getting harder on modern platforms as a result of the use of mitigation techniques by the operating system, it is still possible with a dedicated team working on it,” added Harry Grobbelaar.
MWR Labs is the research arm of MWR InfoSecurity, which has offices in the UK and South Africa, and supplies services which support clients in identifying, managing and mitigating their information security risks.
Note to editors:
The prestigious Mobile Pwn2Own competition is run by HP TippingPoint Zero Day Initiative, and is sponsored among others by BlackBerry phone maker RIM and AT&T. The primary goal of the competition is to demonstrate the current security posture of the most prevalent mobile technologies in use today, including attacks on mobile Web browsers, near field communication (NFC), short message service (SMS), and the cellular baseband, with an only requirement of using a current device running the latest operating system.
For further information, please contact:
David Barzilay
M: +44(0)7860 322333
+44(0)207 544 8980
david@barzilay.co.uk
Julian Menendez
M: +44(0)78 3854 7531
T: +44(0)20 7544 8831
E: julian.menendez@blickrothenberg.com
Charlotte Rhodes
T: +44(0)1256 300920
M: +44(0)79 0983 1909
E: Charlotte.Rhodes@mwrinfosecurity.com
Or visit http://www.mwrinfosecurity.com/.
Share