Security researchers present at the Mobile Pwn2Own competition managed to hack the iPhone 5S, Galaxy S5, Nexus 5 and Amazon's Fire Phone. Other devices from the competition included the iPad Mini, Blackberry Z30, Nexus 7 and Lumia 1520. The event was organized by HP's Zero Day Initiative and was sponsored by BlackBerry and Google's Android Security team.
The iPhone 5S was the first device to fall in the first day of the competition. The South Korean team that hacked it found two vulnerabilities inside the Safari browser, which they used to escape the sandbox.
The next device to get hacked was Samsung's Galaxy S5. Two teams from Japan and South Africa managed to attack it through NFC. Two NFC bugs were also what got the Nexus 5 hacked. The team then used two bugs to pair the device with another phone through Bluetooth to gain further access.
Shannon Sabens, a senior security content developer at HP, claimed in a blog post that this method was also used in the Person of Interest show on TV. Amazon's Fire Phone was also hacked using three bugs found in the phone's browser.
On the second day, other researchers weren't as successful, managing only partial attacks. One of them tried a Wi-Fi attack against the Nexus 5, but he failed to elevate his privileges. Another French team tried to hack the IE browser on the Lumia 1520, but they only succeeded in extracting the cookie database. The team was unable to escape the phone's sandbox and gain full control.
It seems the more popular devices were targeted first, but it's not clear whether other devices such as the Nexus 7 or BlackBerry Z30 were a lower priority for researchers, or if they were just much more secure than those that did get hacked.
It does seem that each researcher or team of researchers picked their own device, so whether one of those devices could be broken or not depended more on that particular researcher's skill. This could explain why the Nexus 5 was hacked in one case, but not in another, and also why the Nexus 7 wasn't hacked, even though it ran the same software.
The exploits have already been reported privately to the companies affected, so they get a chance to fix any issues before they become public knowledge. HP, the coordinator of the event, will make the vulnerabilities public in the coming weeks.