Security protections for iPhone 5S, Samsung Galaxy S5, Nexus 5 and Amazon Fire Phone came undone in the first day of the Mobile Pwn2Own hacking competition at PacSec security conference in Tokyo.

The contest is currently at its third reiteration and attracted sponsorship from Google and Blackberry.
NFC technology abused to own the phones

In most of the cases, the attack vector used by the hackers to take control of the phones was the Near Field Communication (NFC) technology, which is available in the latest models of smartphones from prominent vendors.

During the competition, the hackers relied on NFC to trigger a deserialization issue in code specific to Samsung, which led to the compromise of a Galaxy S5; this was achieved by Team MBSD from Japan.

Another successful attempt to own the same type of device, also through NFC, belonged to Jon Butler of South Africa’s MWR InfoSecurity, who took advantage of a logical error. This is specific to Samsung Galaxy S5 devices.

Google-supported Nexus 5 from LG was the second smartphone to fall victim to an NFC attack. Initiated by Adam Laurie from the UK’s Aperture Labs, the compromise consisted of an exploit stemming from two security vulnerabilities that forced pairing two devices through Bluetooth.

iPhone 5S and the Fire Phone compromised

However, the main event was the compromise of the iPhone 5S, an action that made use of two bugs to create a full sandbox escape in Safari mobile web browser. The feat was achieved by lokihardt@ASRT.

MWR InfoSecurity managed to compromise another mobile phone, this time Amazon’s Fire Phone. It was a three-man effort that combined a total of three bugs aimed at the device’s web browser; this successful hack ended the first day of the competition.

Organized by the HP’s Zero-Day Initiative (ZDI), this year’s Mobile Pwn2Own is sponsored by Google and BlackBerry with prizes amounting to $425,000 / €341,500.
Two more contestants in the second day

All vulnerabilities exploited during the competition are zero-days, and any details relating to them and the exploit techniques used are provided only to the vendors, via responsible disclosure, and HP ZDI.

The conclusion of the first day of contest are easy to draw: despite all security claims, smartphones are vulnerable. The targets were Samsung Galaxy S5, LG Nexus 5, iPhone 5S and Amazon Fire Phone, and all of them have been compromised, either through code specific to the manufacturer or through the technology they integrate.

On Thursday, the second and last day of this year’s competition, the final two participants take aim at Windows Phone (Nico Joly) and the Android operating system (Jüri Aedla).