Flaws win prizes at Mobile Pwn2Own

MWR Labs, the research arm of MWR InfoSecurity, has demonstrated security flaws in both the Samsung Galaxy S5 and Amazon Fire Phone.

One team of researchers from MWR Labs in the UK exploited the Samsung Galaxy S5, enabling them to steal personal details, while another team from MWR Labs in South Africa exposed a remote code execution on the Amazon Fire Phone.

The flaws were demonstrated at this year’s Mobile Pwn2Own event which took place during the Applied Security Conference (PacSec) in Tokyo, Japan. The discovery of the flaws resulted in MWR Labs winning two different categories at the event.

The Zero Day Initiative (ZDI), host of the annual event, announced MWR Labs UK researchers Robert Miller and Jonathan Butler as winners in the Short Distance Category, following their exploitation against the Samsung Galaxy S5 over NFC. They successfully retrieved personal information from the device, securing the win and $75,000 in prize money.

Bernard Wagner and Kyle Riley from South Africa won the Mobile Application/OS category, successfully demonstrating remote code execution on the Amazon Fire Phone through a Man-in-the-Middle attack. The South African based researchers indicated that the exploit was possible due to a set of vulnerabilities within a pre-installed package on the device. They walked away with $50,000 in prize money.

"MWR is proud to receive these awards," said Ian Shaw, Group MD of MWR InfoSecurity. "Our talented researchers span far and wide across the globe and they work extremely hard. Entering competitions, such as Pwn2Own, are vitally important as it keeps us at the sharp edge of the industry.

"This work forms part of a wide-ranging programme of security research at MWR on a global scale and highlights the ongoing need for mobile developers and manufacturers to prioritise security, in order to keep customers safe. We also plan to further develop MWR security research in Asia, with the recent addition of MWR facilities in Singapore."

The MWR Labs research also identified additional vulnerabilities, which will first be reported to Samsung and Amazon in the coming weeks.