Carnage. Pwnage everywhere. Empty streets, wailing widows, and the smoking remains of a hotel where the sign is barely visible, hanging from a shattered chain and swinging in the wind -- NH Amsterdam Centre Hotel. Something black catches my eye -- it's just a rag, caught on a broken base station arm. On closer inspection I can make out a few words: Zero Day Initiative... EUSecWest... Mobile Pwn2Own... and the famous trio of white X's signifying the Amsterdam coat of arms. What happened here?
Okay, okay; enough of the drama. But seriously, we did almost set fire to one of our USB adapters (see pic below) and learned the hard way that power supplies differ between Europe and the USA. Or rather, that no matter how much you prepare there's always something that can go wrong. However, ZDI's first international Pwn2Own contest focused on mobile devices couldn't have gone much better.
For those of you who aren't aware, Pwn2Own is a hacking contest that has been held annually since 2007 at CanSecWest in Vancouver. Due to the increase in the mobile attack surface, we decided to expand the contest and run an additional strictly mobile event at EuSecWest in Amsterdam. The prizes were between $30,000 and $100,000 USD in the following categories: Mobile Web Browser, Mobile OS, NFC, SMS, and Cellular Baseband. There's lots more detail on the contest, exploits, and prizes, but here's a quick summary of the proceedings.
On September 19th, the first official day of the contest, Joost Pol and Daan Keuper from Certified Secure went for the mobile browser category, targeting Safari running on Apple's iPhone 4S and iOS 5.1.1. This vulnerability is also present in iOS 6.0 as was recently released by Apple for the iPhone 5. It took about 3 minutes for them to demonstrate their exploit and the team was able to pull pictures and contacts off of the phone.
"It took about three weeks, starting from scratch, and we were only working on our private time," says Joost Pol, CEO of Certified Secure, a nine-person research outfit based in The Hague. Pol and his colleague Daan Keuper used code auditing techniques to ferret out the WebKit bug and then spent most of the three weeks chaining multiple clever techniques to get a "clean, working exploit."
"We really wanted to see how much time it would take a motivated attacker to do a clean attack against your iPhone. For me, that was the motivation. The easy part was finding the WebKit zero-day," Pol said in an interview.
-Ryan Naraine, ZDNet
A little later in the day, our second contestants stepped up to bat: a team from MWR Labs from South Africa. The team consisted of Tyrone Erasmus, Jacques Louw, Jon Butler, and Nils. They opted for the operating system category, choosing NFC as a vector into a vulnerability present in the document viewer on the Samsung Galaxy SIII running Android 4.0.4. As fate would have it, networking issues prevented the exploit from being properly sent to the phone so we spent about 45 minutes making sure the network equipment was configured properly while MWR Labs made some very minor tweaks to their exploit code. Apparently, there is such a thing as being too close to the wireless access point... As soon as we resolved that issue, we found out that the CAT5 cable going to the router was defective. Fun, eh?
Once the networking issues were resolved the exploit went off without a hitch. The team demonstrated full remote code execution by using their own Mercury shell payload to download all of the pictures and contacts stored on the phone.
"We used the NFC method for showmanship," said Erasmus, who added that using NFC means that people can be targeted when they simply walk past a potential attacker. Though the phones must be very close to each other -- almost touching -- only a very brief connection is needed to upload the payload data, after which a Wi-Fi connection can be established, allowing the attacker to download information from the targeted phone, the researchers said.
-Loek Essers, IDG News Service
Congratulations to Certified Secure and MWR Labs for each winning $30,000 as the first official winners of Mobile Pwn2Own!
Comments we have heard about past Pwn2Owns is that they finish pretty quickly. To make things a little more interesting this year, we included several mobile security-related demos to capture and keep conference attendees' attention.
Janne Vuontisjärvi from Codenomicon came with his own RF enclosure and mobile base station with which he ran Codenomicon's SMS fuzzer throughout the competition. We gave him a couple of our phones to run his fuzzer against and were able to see crashes.
Bogdan Alecu from m-sec.net demonstrated his SIM Toolkit attack, in which he is able to construct an SMS that causes the recipient's phone to send a text message to a number of his choosing. The recipient's phone was sending texts to a premium number but Bogdan demonstrated that the user is never made aware that they are sending anything. Although his demo showed an innocuous use of this, a malicious person could create a premium number and then send crafted SMSs en masse. This would essentially funnel the users' money to the attackers, and is just one of the examples of the severity of Bogdan's findings.
Georg Wicherski from CrowdStrike demonstrated a vulnerability in the Android browser, as tested on a Samsung Galaxy SIII. Using NFC as a vector to open a URL, he bypassed NX and ASLR to contact his command and control server. The bug he demonstrated code execution for was patched in the latest version of Android. After the phone contacted his command and control server, it then start sending messages that revealed its current location on Google Maps.
In support of Mobile Pwn2Own 2012, the ZDI team began investigating NFC using GNURadio and several hardware platforms including the USRP2 and inexpensive USB DVB-T dongles based on the Realtek RTL2832U (rtl-sdr). So far, we have set up all the hardware including amplifiers, antennas, HF converters, etc., and implemented a flow graph in GNURadio which allows reception and isolation of the waveforms of both reader-to-card and card-to-reader communications of NFC type-A cards. This represents decoding at the OSI physical layer. As the project is ongoing we will be adding command decoding / sniffing in the coming months. At MP2O Jonathan Andersson demonstrated USRP2-based RF decoding and we will demonstrate further progress at PacSec 2012.
We want to give special thanks to Dragos Ruiu and his team for hosting another outstanding conference in Amsterdam, the individual contributors who took time to be part of this event, and our sponsors Research in Motion (RIM) and AT&T. We gave out $60,000 in cash prizes along with the exploited phones to the winners. Additionally, many participants received ZDI reward points. Thanks to our team back in Austin for helping us to organize this, and finally to the conference attendees -- looking forward to even greater participation in the future.