Mobile Pwn2Own Exploits in Action | Mobile Monday Update

The security scene has been eventful since our last Mobile Monday thanks to the Mobile Pwn2Own competition in Amsterdam.  Both Android and iOS were vulnerable to some pretty unique exploits.

iOS (including iPhone 5)

Confirmed vulnerable: iOS 5.1.1 and iOS6 across all devices

Exploit allows attackers to grab your contacts and photos

Dutch security researchers, Loost Pol and Daan Keuper of Certified Security, debuted a remote safari exploit. The yet unnamed exploit takes advantage of a webkit 0-day to bust out of iOS’s security sandbox. Once outside the sandbox, the code gives attackers a vector to remotely steal pictures and address book details. Though they have showed several demonstrations of the exploit, Loost and Daan have yet to divulge exactly how the exploit works for fear that cybercriminals will try and take advantage of it.

Enterprise Impact

The potential privacy impact of this exploit’s release is high, though it has not been seen in the wild. As the above YouTube video shows, the attack vector only requires that the victim visit a malicious webpage in Safari. Beyond that, no user interaction with the page is required.

Though photo and contact databases were left wide open once exploited, luckily mail and SMS data remain safe and encrypted. As of this post, Apple has not indicated when a fix for this exploit is coming.  We’ll keep administrators updated on any updates in the meantime.

Mitigation

Concerned administrators can mitigate the attack vector by restricting the use of Safari until the exploit is patched. For PowerBroker Mobile users, administrators can disable Safari via the restrictions policy tab.

Android 4 Document Viewer Exploited

Confirmed vulnerable: All Android versions. Attack vector for NFC devices only.

Near Field Communication (NFC) used to exploit vulnerable document viewer

MWR Labs used a previously discovered exploit of Android’s Beam technology to deliver their own 0-day exploit. The new vulnerability can then be used to gain limited control of a device; it takes advantage of shortcomings in Android’s Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) features. From there, MWR used another known privilege escalation technique to fully root and control the device.

Enterprise Impact

While the MWR’s demo uses previously known NFC and privilege escalation techniques, the exploit itself “is in the parser of the operating system.” NFC is currently only supported on a small segment of total android devices running the 4x operating systems. While there is no known software fix, the author of the exploit believes that Jellybean (Android 4.1) will not be vulnerable due to improved ASLR and DEP techniques.

Mitigation

Enterprises with 4x devices should consider disabling NFC until Google and device manufactures release an official fix.