At the Mobile Pwn2Own competition 2017, white hat hackers managed to earn over half a million dollars after successfully proving the vulnerabilities present in Huawei’s Mate 9 Pro, Apple’s iPhone 7 and Samsung Galaxy S8. Mobile Pwn2Own is a hacking contest held every year at the PacSec conference in Tokyo, Japan, by Trend Micro’s Zero Day Initiative.
At this contest, over $500,000 are offered to white hat hackers for identifying exploit chains in Google Pixel, iPhone 7, Huawei Mate 9 Pro and Galaxy S8. The exploits targeting browsers, messaging, short distance communications such as through NFC, Wi-Fi and Bluetooth and baseband components were to be checked this time.
The devices were running the newest versions of the OS and software. Just a day before the start of this competition, Google, Apple, and Huawei released patches for the versions to be inspected. On day one, around $350,000 were earned by the participants for discovering flaws allowing attacks on the Galaxy S8 Internet Browser, iPhone 7’s Safari, baseband on Mate 9 Pro and Wi-Fi on iPhone 7.
On day two, $25,000 was earned by MWR Labs for successful hacking of Huawei apps and disclosure of 5 logic bugs in Google Chrome on Mate 9 Pro. The bugs allowed a hacker to carry out browser sandbox escape and data exfiltration. Moreover, the team also won $25,000 more for hacking Internet Browser on Galaxy S8 after exploiting 11 flaws across six different apps and performing arbitrary code execution and stealing sensitive data.
And today starts with a bang as @mwrlabs demos a browser exploit on the Huawei Mate9 Pro! To the disclosure room for verification. #MP2O
— Zero Day Initiative (@thezdi) November 2, 2017
Folks from @mwrlabs were back at it. This time, they exploited Internet Browser on the #Galaxy S8. To the disclosure room for details! #MP2O
— Zero Day Initiative (@thezdi) November 2, 2017
$20,000 was earned by Qihoo 360, a China-based firm, for targeting the Wi-Fi component in iPhone 7 through a partially successful exploit. However, one of the three flaws leveraged by this exploit was already identified by another participant at the contest. Another $25,000 was earned by the same researcher from Qihoo 360 for hacking Safari on iPhone 7.
Confirmed! @mj0011sec demoed a bug on #Galaxy Browser & priv escalation via #Samsung app to persist a reboot. Earn $70K & 11 MoP points.
— Zero Day Initiative (@thezdi) November 1, 2017
Team from @mj0011sec wastes no time in successfully demonstrating their WiFi attack on #iPhone. Verifying all the details now. #MP2O
— Zero Day Initiative (@thezdi) November 2, 2017
Confirmed! @mj0011sec uses 2 bugs -1 in browser & 1 in a system service- to exploit #Safari. They earn $25K & 11 Master of Pwn points. #MP2O
— Zero Day Initiative (@thezdi) November 2, 2017
Researcher Amat Cama alias Acez was the last one to send the entry and earned $50,000 for identifying baseband exploit that affected Galaxy S8 through a stack-based buffer overflow to conduct arbitrary code execution.
In total, at the two-day-long event white hat hackers earned a total of $495,000. The highest Master Pwn points, as well as the 65,000 ZDI reward point (worth nearly $25,000), were earned by the Tencent Keen Security Lab researchers.
White Hat Hackers Earned $500,000 for identifying Flaws in Google, Apple and Samsung smartphonesIt is worth noting that although one flaw was identified in Google Chrome browser has but nobody could come up with an exploit on Google’s Pixel. Details of all the identified flaws have been sent to the affected manufacturers, and they will be given 90 days deadline to fix them after which a limited advisory will be made public containing information about the vulnerabilities as noted in the blog post published by ZDI:
“A successful demonstration is just the first step. Representatives from Apple, Google, and Huawei can then ask for details on the exploit directly from the researchers. Since it takes a fully functional exploit chain to win any attempt, we provide the vendor 90 days to correct the issues. At the end of the disclosure deadline, if a vendor is unresponsive or unable to provide a reasonable statement as to why the vulnerability is not fixed, the ZDI will publish a limited advisory including mitigation to enable the defensive community to protect users.”