Press Release

MWR Labs expose vulnerabilities in Samsung Galaxy S5 and Amazon Fire Phone

Double win for global security firm MWR InfoSecurity at Mobile Pwn2Own 2014

At this year’s Mobile Pwn2Own event, that took place during the Applied Security Conference (PacSec) in Tokyo, the research arm of global consultancy MWR InfoSecurity – MWR Labs, won two different categories by exclusively demonstrating security flaws in both the Samsung Galaxy S5 and Amazon Fire Phone. One team of researchers from MWR Labs in the UK exploited the Samsung Galaxy S5, enabling them to steal personal details, while another team from MWR Labs in South Africa exposed a remote code execution on the Amazon Fire Phone.

The Zero Day Initiative (ZDI), host of the annual event, announced MWR Labs researchers from the UK Robert Miller and Jonathan Butler as winners in the Short Distance Category after they were able to demonstrate exploitation against the Samsung Galaxy S5 over Near Field Communication (NFC). They successfully retrieved personal information from the device, securing the win and $75,000.

In addition, Bernard Wagner and Kyle Riley from South Africa won the Mobile Application/OS category, successfully demonstrating remote code execution on the Amazon Fire Phone through a Man-in-the-Middle attack. The researchers, based out of MWR’s South African office, have indicated that the exploit was possible due to a set of vulnerabilities within a pre-installed package on the device. The prize for this category was $50,000.

“MWR is proud to receive these awards,” said Ian Shaw, MD of MWR InfoSecurity. “Our researchers from across the globe work extremely hard; and entering competitions, such as Pwn2Own, are vitally important as it keeps us at the sharp edge of the industry.

“This work forms part of a wide-ranging programme of security research at MWR and highlights the ongoing need for mobile developers and manufacturers to prioritise security, in order to keep customers safe.”

The MWR Labs research also identified additional vulnerabilities, which will first be reported to Samsung and Amazon in the coming weeks. It intends to publish advisories in due course for these vulnerabilities on its website in accordance with MWR’s disclosure policy.

About Mobile Pwn2Own 2014

Mobile Pwn2Own is ZDI’s annual contest that rewards security researchers for highlighting security vulnerabilities on mobile platforms. With the near-ubiquity of mobile devices, vulnerabilities on these platforms are becoming increasingly coveted and are actively and vigorously hunted by criminals for exploitation. This contest helps to harden these devices by finding vulnerabilities first and sharing that research with mobile device and platform vendors.

Download Press Release



Accreditations & Certificates

MWR is an accredited member of The Cyber Security Incident Response Scheme (CSIR) approved by CREST (Council of Registered Ethical Security Testers).
MWR is certified under the Cyber Incident Response (CIR) scheme to deal with sophisticated targeted attacks against networks of national significance.
We are certified to comply with ISO 9001 and 14001 in the UK, internationally accepted standards that outline how to put an effective quality and environmental management systems in place.
MWR is certified to comply with ISO 27001 to help ensure our client information is managed securely.
As an Approved Scanning Vendor MWR is approved by PCI SSC to conduct external vulnerability scanning services to PCI DSS Requirement 11.2.2.
We are members of the Council of Registered Ethical Security Testers (CREST), an organisation serving the needs of the information security sector.
MWR is a supplier to the Crown Commercial Service (CCS), which provides commercial and procurement services to the UK public sector.
MWR is a Qualified Security Assessor, meaning we have been qualified by PCI to validate other organisation's adherence to PCI DSS.
As members of CHECK we are measured against high standards set by NCSC for the services we provide to Her Majesty's Government.
MWR’s consultants hold Certified Simulated Attack Manager (CCSAM) and Certified Simulated Attack Specialist (CCSAS) qualifications and are authorized by CREST to perform STAR penetration testing services.