Both the iPhone 4S running iOS 6 and the Samsung Galaxy S III running Android 4.04 have fallen to separate flaws in this yearâ€™s Pwn2Own mobile challenge.
The heretofore unrevealed flaws allowed security researchers to walk away with prizes of $30,000 each, paid for by HP, who sponsored the contest.
Security researchers Joost Pol and Daan Keuper from Certified Secure cracked Safari, allowing them to hijack the address book, photos, videos and browsing history from a fully patched iPhone 4S by simply visiting a malicious website, which could as easily have been embedded in an ad network. The exploit did not crash the browser, leaving the user oblivious to the hack.
"It took about three weeks, starting from scratch, and we were only working on our private time," says Joost Pol.
â€œThe easy part was finding the WebKit zero-day," Pol said in an interview.
"We specifically chose this one because it was present in iOS 6 which means the new iPhone coming out today will be vulnerable to this attack," Pol said, confirming it still worked on the iOS6 Gold Master.
"BlackBerry also uses WebKit but they use an ancient version. With code signing, the sandbox, ASLR and DEP, the iPhone is much, much harder to exploit," Pol said. He noted he could as easily have gone after Android, but chose the iPhone as a harder target.
"The CEO of a company should never be doing e-mail or anything of value on an iPhone or a BlackBerry. It’s simple as that. There are a lot of people taking photos on their phones that they shouldn’t be taking," Pol said.
The Samsung Galaxy S III also fell to a vulnerability in a file viewer, exploiting NFC to deliver the payload to the phone without any user intervention.
The phone was hacked by MWR Labs which allowed them to download all data from the Android smartphone, including text messages, pictures, emails and contacts, place a call to a premium rate number or take photos with the phone’s camera, essentially resulting in full control over the device.
The exploit took advantage of two zero-day vulnerabilities, which bypassed several Android security mitigations features with MWR Labs said the attack succeeded because the implementation of various security technologies was "incomplete" in Android version 4.0.4, codenamed Ice Cream Sandwich.
"NFC is the delivery mechanism and the vulnerability itself is in a parser in the operating system," said Brian Gorenc, manager, Zero Day Initiative. The exploit could however easily be installed simply by bumping into a target in a subway.
The Nokia Lumia 900 was also entered in the contest, but it is not clear if any attack on the handset was attempted.