back to article Pwn2Own crackers leave iOS and Samsung mobe security IN RUINS

Researchers attending the PacSec 2013 security conference in Japan have won nearly $70,000 after demonstrating how to compromise iPhones and a Samsung Galaxy S4 running Android in a mobile version of the legendary Pwn2Own hacking contest. A Japanese team from Mitsui Bussan Secure Directions earned $40,000 after showing how …

COMMENTS

This topic is closed for new posts.
  1. Air Supply
    Alert

    WP

    Nobody bothers hacking Windows Phone huh?

    1. AMB-York Silver badge

      Re: WP

      Doesn't look like it. All us WP users can be smug in the belief that we have a safe phone OS. Sadly, the truth is that we're an obscure minority who buy cheap phones. Not worth hacking as there's not enough of us and we can't afford a better phone, so nothing to steal.

      Mine's a Nokia 520 in a nasty shade of red.

      1. dogged

        Re: WP

        All minority systems have apparently greater security, mostly due to nobody bothering.

        This is why Mac users think they're secure.

      2. RyokuMas

        Re: WP

        Security through obscurity is no security at all, and - like I've said before - the biggest target is going to be the one the miscreants go after.

        Of course, it doesn't help that the biggest target is in this case the most open, and therefore the easiest.

        That said, I don't believe any system is completely secure against exploits when user action is required - there will always be someone who is stupid enough to press the big red shiny button.

        1. Mike Moyle

          Re: WP

          @ RyokuMas

          "Of course, it doesn't help that the biggest target is in this case the most open, and therefore the easiest."

          Whatever happened to Linux/Android is the SAFEST OS because it's open and everyone can look at the code?

          1. RyokuMas

            Re: WP

            @Mike Moyle: How do you define "safest"?

            Yes, everyone can look at the code. But what seems to be forgotten so often when this sort of discussion starts is that the vast majority of smartphone users are not tech-savvy. It doesn't make a blind bit of difference to Wayne or Sharon if they can see the code - in fact they're probably not even aware their phone runs Android, just as long as it's a Galaxy and you can text and play Angry Birds on it.

            So yes, open is great for those who understand the tech. But for those who don't - who are at the same time also the ones more likely to fall for social engineering tricks - it's an open playing field for the malware flingers. The fact that Android is open, and therefore simplest to get apps containing malware etc. onto makes it the easiest ecosystem to target.

      3. JLV
        Pint

        >Mine's a Nokia 520 in a nasty shade of red.

        Have a beer on me for having a sense of humor about your gear.

        Not dissing your choice, which is not mine, just nice to see someone not take it so seriously :-)

    2. Anonymous Coward
      Anonymous Coward

      Re: WP

      Does anyone have a Windows Phone?

      Why create a hack for an OS that nobody uses.

      It's also worth noting that the Samsung had quite an old version of Android on it...

      1. AMB-York Silver badge

        Re: WP

        I should point out - the bit about being secure through having a minority device was a joke.

        The bit about owning a Nokia 520 in nasty red is the truth.

        I like my Windows phone :)

      2. Anonymous Coward
        Anonymous Coward

        Re: WP

        "Why create a hack for an OS that nobody uses."

        WP is approaching 12% market share in the UK and EU top 5....And is ahead of IOS in Italy...

        1. Anonymous Coward
          Anonymous Coward

          Re: WP is approaching 12% market share

          = less than 5% but increasing?

          It;s easy to show big gains in market share from a near-zero position

          1. dogged

            Re: WP is approaching 12% market share

            See also, OSX and linux on the desktop.

    3. Anonymous Coward
      Anonymous Coward

      Re: WP

      WP is very tough to hack because of the secure boot stuff that the freetards made so much fuss about...Now they can see that it delivers as claimed.

      1. dogged

        Re: WP

        >WP is very tough to hack because of the secure boot stuff that the freetards made so much fuss about...Now they can see that it delivers as claimed.

        Wrong. SecureBoot requires a UEFI bootloader. WP is firmware, not UEFI.

        1. TheVogon

          Re: WP

          "Wrong. SecureBoot requires a UEFI bootloader. WP is firmware, not UEFI."

          Wrong: http://go.microsoft.com/fwlink/?LinkId=266838

          Windows Phone architecture uses a System-on-a-Chip (SoC) design provided by SoC vendors. The SoC vendor and device manufactures provide the pre-UEFI boot loaders and the UEFI environment. The UEFI environment implements the UEFI secure boot standard that is described in section 27 of the UEFI Specification (http://www.uefi.org/specs). This standard describes a process by which all UEFI drivers and applications are validated against keys provisioned into a UEFI runtime variable before they are executed.

          The UEFI and Windows document (http://msdn.microsoft.com/en- us/windows/hardware/gg463149.aspx) on MSDN describes the advantages of using UEFI and how UEFI is supported by desktop versions of the Windows operating system. Although the document focuses on UEFI and Windows, most of the information in the document also applies to Windows Phone.

          Microsoft provides the Windows Phone boot manager in the UEFI environment. After the pre-UEFI and UEFI components complete their boot processes, the Windows Phone boot manager takes over to complete the Windows Phone 8 boot process so that the user can start using the smartphone. All code in the Windows Phone operating system is signed by Microsoft, including OEM drivers and applications. Also, applications that are added after manufacturing, or installed from the Windows Phone Store or a private enterprise store must be properly signed to execute

  2. tony2heads
    Gimp

    Factor installed software

    Would the attach work with a plain (i.e. NON-Samsung) version of Android? Or even a Cyanogenmod?

    1. Anonymous Coward
      Anonymous Coward

      Re: Factor installed software

      "It's also worth noting that the Samsung had quite an old version of Android on it..."

      The newer versions are still Java on top of Linux. Trying to keep that secure is like trying to secure water with a sieve and a cheese grater....

      1. Frumious Bandersnatch

        Re: Factor installed software

        The newer versions are still Java on top of Linux. Trying to keep that secure is like trying to secure water with a sieve and a cheese grater....

        So, you're saying it's easy, then? (hint: freeze the water first)

  3. paulc

    Fixes?

    When will the ordinary user get to see them? It takes ages for the operators to put out an OTA update...

    1. thesykes

      Re: Fixes?

      What it needs, for carriers to remove their collectives fingers from their arses, is a little persuasion.

      If, for example, someone with an S4 (after Samsug has released the update required) happened to stumble on a compromised website, entirely accidentally of course, and was pwned, could they then take the negligent carrier to court, as their inaction has left the phone insecure, despite a fix existing and being available?

      1. Brewster's Angle Grinder Silver badge

        Re: Fixes? @thesykes

        In principle: yes.

        In practice: the carrier would deploy lawyers and consultants to show how disproportionate the cost of adapting the upgrade would be in comparison to your losses.

    2. sabroni Silver badge

      Re: It takes ages for the operators to put out an OTA update...

      iPhones are updated by Apple, and most devices are now on iOS7. If so then the problem of operators not updating surely only effects the Android phone in the report.

      1. an it guy

        Re: It takes ages for the operators to put out an OTA update...

        well, in my experience at my office, those who have upgraded to iOS 7 are advising the rest of the office not to upgrade. it's about 50/50 of those who have or have not upgraded. I know it's nowhere near a large enough sample, but I'd warrant lots are on iOS7, but quite a large number have chosen not to upgrade.

      2. Anonymous Coward
        Anonymous Coward

        Re: It takes ages for the operators to put out an OTA update...

        "If so then the problem of operators not updating surely only effects the Android phone in the report."

        You clearly have no history of Apple patches then have you.

        Search for "Apple finally patches" and see what you get

      3. Ivan Headache

        Re: It takes ages for the operators to put out an OTA update...

        "iPhones are updated by Apple, and most devices are now on iOS7."

        Not in this house!

        1 is on iOS7, 2 are on iOS5

        You can choose to update or not. Only 1 in this house has chosen to update - and I expect that there are a significant number of others (outside this house) who do not like the new OS, running iOS 6.

        (They are not all outside my house - some of them live round the corner.)

        1. sabroni Silver badge

          Re: It takes ages for the operators to put out an OTA update...

          The original point was that operators are slow to put out OTA updates (it's there in the title). I mentioned that Apple push updates without using the operators so it's only Androids that suffer this. So why is everyone pointing out that they know iOS users that have chosen not to upgrade? The Android users haven't got that choice if the Operators don't push (providing they're not on a Nexus device for the rest of you smartarses.) That's the point, with iOS you have a choice that a lot on Android users don't. Not often I get to type that!!!

    3. Anonymous Coward
      Anonymous Coward

      Re: Fixes?

      Nonsense.

      I got Android 4.4 on all my devices last night.

      1. Alan Edwards

        Re: Fixes?

        Cool, still waiting for it on my 3G Nexus 7.

        Are your devices unlocked, or carrier-locked and loaded up with their crapware? If it came from the carrier, the software update will come from them too (and may never arrive).

  4. Anonymous Coward
    Anonymous Coward

    @sabroni

    Reading the article would be your man here.

    "Meanwhile, an eight-person team from Keen Cloud Tech in China showed how to exploit a vulnerability in iOS version 7.0.3 to steal Facebook login credentials "

    I'd be willing to be that in the case of a frightening percentage of cases that "facebook password" = "password for everything"

    1. sabroni Silver badge
      Meh

      Reading the article would be your man here.

      Really? I normally just wade straight into the comments.

      Doesn't really adress my point, made so eloquently yet totally missed above, that Apple push udpates without using the Operators. So Apple can apply a fix, Google can fix Nexus devices, most others on Android using a manufacturer's version are stuck with the vulnerability. Do you get it now? Not sure how to make it any clearer...

  5. lansalot

    OK El-Reg...

    WHAT'S with all THE CAPITALS in HEADLINES lately?? DESPERATE for ATTENTION or something ??

    1. Flawless101

      Re: OK El-Reg...

      You're on the frigging site already, commenting on an article. I'm not sure how much more attention you could possible give them.

    2. dopefish

      Re: OK El-Reg...

      Quite clearly taking a leaf out of the Daily Mail method of headlines :

      MAN looks in MIRROR and SEES OWN REFLECTION

      (WARNING-GRAPHIC CONTENT).....immediately proceeded by said graphic content

  6. Anonymous Coward
    Anonymous Coward

    ?

    >showed how to exploit a vulnerability in iOS version 7.0.3 to steal Facebook login credentials and a photo from a device running iOS 6.1.4,

    ug?

    1. a53

      Re: ?

      So from iOS7 they got FB login info, and from iOS6 they got a photo. However, as with all these things, there's only so much you can do to protect against naiveté. Trojans exist for all OS's. Sandboxing helps enormously.

This topic is closed for new posts.

Other stories you might like