MWR Labs, the research arm of global consultancy MWR InfoSecurity, exposed a flaw in the Galaxy S5 and the Amazon Fire Phone, which they successfully demonstrated at this year’s Mobile Pwn2Own competition in Tokyo.
The S5 flaw, which led to the UK-based winning the Short Distance Category, makes use of an exploit in the Near Field Communication (NFC) capabilities to steal personal information from the smartphone.
“This work forms part of a wide-ranging programme of security research at MWR on a global scale and highlights the ongoing need for mobile developers and manufacturers to prioritise security, in order to keep customers safe,” the team of Robert Miller and Jonathan Butler said in a media statement.
MWR Labs’ South African arm won the Mobile Application/OS category after they successfully managed to execute remote code on the Amazon Fire Phone through a technique called a Man-in-the-Middle attack.
The team’s Bernard Wagner and Kyle Riley explained that they were able to execute the remote code through an exploit in the vulnerabilities within a pre-installed package on the smartphone. Scooping up the $50 000 prize money, the team had to execute arbitrary code remotely to prove that they were able to retrieve files like SMS messages or photos from exploited devices.
“This is a fantastic accolade for the MWR Labs team in South Africa,” said Harry Grobbelaar, MD of MWR InfoSecurity in South Africa. “It is undisputable proof of the talent MWR has been cultivating in the South African market and the quality of our professional services, helping customers with all areas of cyber security.”
The teams also identified other security issues within both smartphones, and those will be reported to Samsung and Amazon in the next couple of weeks.
[Source – MWR Labs]