Press Release

MWR successful in mobile Pwn2Own comp

News

MWR teams pwn Huawei and Samsung devices at PacSec 2017 competition. 

MWR Labs, the research arm of global consultancy MWR InfoSecurity, has successfully demonstrated attacks against the latest Android devices at this year’s mobile Pwn2Own competition. MWR Labs succeeded in exploiting both the Huawei Mate9 Pro and the Samsung S8 using previously unpublished vulnerabilities.

The Zero Day Initiative (ZDI), host of the annual event, announced that the MWR Labs team were successful in its ‘Browser’ category after they were able to demonstrate exploitation against the devices, having triggered a series of vulnerabilities in their default browsers without the need for any user interaction. In both cases this allowed MWR Labs to run code of their own on the devices, enabling them to read and write the user’s files, access the camera, and perform other such actions without the user being made aware.

“It's always exciting when we take part in these competitions and we're thrilled with the team's results,” said Ian Shaw, CEO of MWR InfoSecurity. “Our researchers from across the globe work extremely hard to identify flaws and then work with developers to fix and strengthen their code. Entering competitions, such as Pwn2Own, is vitally important as it keeps us at the sharp edge of the industry.

Both Huawei and Samsung have been made aware of the vulnerabilities and are now working to patch them. Once patched, MWR intends to publish advisories in due course on its website (https://labs.mwrinfosecurity.com/) in accordance with MWR’s disclosure policy.

About MWR InfoSecurity

Established in 2003, MWR is an independent cyber security consultancy delivering research-led cyber security for clients around the globe.

It provides specialist advice and solutions in all areas of security, from professional and managed services, through to developing commercial and open source security tools. It focuses on working with clients to develop and deliver security programs, tailored to meet the needs of each individual organisation. In a rapidly changing technology landscape, innovation is essential and its ambition to push boundaries sets it apart. Evidence of this approach is well documented on its dedicated research and development platform, MWR Labs.

Central to MWR's philosophy is the desire to deliver high quality cyber security consulting services and unsurpassed levels of support to clients.

 

 

Accreditations

MWR is an accredited member of The Cyber Security Incident Response Scheme (CSIR) approved by CREST (Council of Registered Ethical Security Testers).
MWR is certified under the Cyber Incident Response (CIR) scheme to deal with sophisticated targeted attacks against networks of national significance.
We are certified to comply with ISO 14001 in the UK, an internationally accepted standard that outlines how to put an effective environmental management system in place.
MWR is certified to comply with ISO 27001 to help ensure our client information is managed securely.
As an Approved Scanning Vendor MWR is approved by PCI SSC to conduct external vulnerability scanning services to PCI DSS Requirement 11.2.2.
We are members of the Council of Registered Ethical Security Testers (CREST), an organisation serving the needs of the information security sector.
MWR is a supplier to the Crown Commercial Service (CCS), which provides commercial and procurement services to the UK public sector.
MWR is a Qualified Security Assessor, meaning we have been qualified by PCI to validate other organisation's adherence to PCI DSS.
As members of CHECK we are measured against high standards set by CESG for the services we provide to Her Majesty's Government.
MWR’s consultants hold Certified Simulated Attack Manager (CCSAM) and Certified Simulated Attack Specialist (CCSAS) qualifications and are authorized by CREST to perform STAR penetration testing services.