Pwn2Own hackers break Google Chrome on Nexus and Samsung Galaxy smartphones

Pwn2Own Mobile sees Nexus, Samsung Galaxy S4 and iPhone 5 broken.

Google Nexus 4 - Display

Google Chrome for Nexus phones has been broken during the Mobile Pwn2Own competition, leaving devices at risk of potentially serious compromise.

With Safari on an iPhone 5 and a Samsung Galaxy S4 already shown to have potentially serious weaknesses, a hacking crew called Pinkie Pie broke Chrome on a Nexus 4. They later did the same on the Galaxy device.

Advertisement - Article continues below

Companies need to take mobile security more seriously, especially when they start implementing things like Bring Your Own Device and allow customers to include corporate data on their phones.

The team were rewarded with $50,000 (31,000) for attacks that took advantage of two vulnerabilities: an integer overflow and another that resulted in a full sandbox escape. A hacker who took advantage of the flaws could remotely execute code, potentially allowing them to install malicious applications on a target phone.

As with the hacks on the iPhone 5 and Galaxy S4 earlier this week, the Chrome breach would require some social engineering to get the target to visit a malicious website.

Google were alerted to the vulnerability by Pwn2Own organisers, the HP Zero Day Initiative (ZDI). It had not responded to a request for comment at the time of publication.

Earlier this week, China's Keen Team were handed $27,000 for getting around Safari protections to steal Facebook login credentials for an iPhone and steal a picture taken of the Mobile Pwn2Own audience.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

Japan's Team MBSD, of Mitsui Bussan Secure Directions, were rewarded with $40,000 for exploiting vulnerabilities in a number of Samsung applications installed by default on the popular Galaxy S4.

Apple and Samsung have been warned about the flaws, but neither had responded to requests for comment on the vulnerabilities. It's unclear when any of the Pwn2Own flaws will be patched.

Brian Gorenc, HP's manager of vulnerability research and head of the ZDI, told IT Pro people were now taking mobile threats seriously and Pwn2Own was helping spread awareness.

"That's why we launched Mobile Pwn2Ownto get researchers to responsibly disclose these vulnerabilities," Gorenc said. "We're really reaching out around the world to get research techniques that are unique, that we haven't seen before.

"Companies need to take mobile security more seriously, especially when they start implementing things like Bring Your Own Device and allow customers to include corporate data on their phones."

Despite the apparent success of the competition, no one received the top prize of $100,000, which was promised to anyone who could hack a phone's baseband processor, allowing them to scoop up radio signals and listen in on people's conversations.

Featured Resources

The case for a marketing content hub

Transform your digital marketing to deliver customer expectations

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

IT faces new security challenges in the wake of COVID-19

Beat the crisis by learning how to secure your network

Download now
Advertisement

Recommended

Visit/security/phishing/355936/inky-announces-20m-series-b-funding-round
phishing

INKY announces $20M Series B funding round

4 Jun 2020
Visit/security/ransomware/355909/microsoft-issues-warning-about-new-ponyfinal-ransomware-attacks
ransomware

Microsoft issues warning about new PonyFinal ransomware attacks

3 Jun 2020
Visit/security/data-breaches/355908/amtrak-guest-reward-suffers-a-data-breach
data breaches

Amtrak Guest Reward suffers a data breach

3 Jun 2020
Visit/security/cyber-security/355903/brand-impersonation-and-form-based-attacks-are-rising
cyber security

Brand-impersonation and form-based attacks are rising

3 Jun 2020

Most Popular

Visit/operating-systems/ios/355935/apple-confirms-serious-bugs-in-ios-135
iOS

Apple confirms serious bugs in iOS 13.5

4 Jun 2020
Visit/security/ransomware/355945/new-ransomware-uses-java-to-target-software-organisations
ransomware

Tycoon ransomware discovered using Java image files to target software firms

5 Jun 2020
Visit/hardware/355904/picking-the-perfect-multifunction-printer
Hardware

Picking the perfect multifunction printer

4 Jun 2020