After taking a year off to do some paperwork, the Zero Day Initiative (ZDI) invites you to join us for the fifth annual Mobile Pwn2Own competition, to be held this year on October 26 and 27 at the PacSec Security Conference in Tokyo, Japan. We’re looking forward to rewarding the world’s top security researchers for demonstrating and disclosing their attacks on the latest and most popular mobile devices. As we did earlier this year, we’ll crown an overall Master of Pwn.
This year, we’re upping the prize pool to over $500,000 USD, adding bonuses for quality exploits, and introducing new devices in order to attract the best and brightest researchers and enhance security for the most popular mobile platforms.
In you aren’t familiar with it, Mobile Pwn2Own is ZDI’s annual contest that rewards security researchers for highlighting vulnerabilities on various mobile platforms. You probably have heard of our contest for other platforms, Pwn2Own, which was held in March this year at CanSecWest. With the near-ubiquity of mobile devices, vulnerabilities on these platforms are becoming increasingly coveted and are actively sought after by those looking to break into mobile devices. This contest helps to harden these devices and their operating systems by finding vulnerabilities first and sharing that research with the vendors. The goal is to get these bugs fixed before they’re actively exploited.
The Targets
This year’s contest brings three of the most popular smartphone platforms available:
|
|
All of these phones will be running the latest version of their respective operating systems with all available patches installed. There are rumors of new versions of these phones being introduced between now and the contest. Should a new phone become available in time to be integrated into the contest, we’ll work to add it as an available platform.
The Categories
With this year’s contest, we decided to focus on three specific areas:
| 1. Obtaining sensitive information outside of the sandbox. | |
Imagine browsing to a website from your phone only to have all of your contacts stolen. Imagine viewing a text message that leaks your private photos. Valuable data exists on your phone, and we’re interested in methods attackers can use to gain access to that data.
| 2. Installing a rogue application. | |
Imagine opening your phone one day to find an app you didn’t install. One method of taking over a phone is to put your malicious app on it, and we’re interested in seeing how this can be done without user interaction.
| 3. Force the phone to unlock. | |
Our largest award goes to the most difficult attack – forcing a locked iPhone to open. In other words, if someone stole or seized your locked iPhone, can they access the data without your permission? This type of attack has been spoken of in many high-profile cases recently, and we look forward to see someone attempt it.
Here are the monetary awards for each category and the associated points earned towards the Master of Pwn (more on that in a bit):
| Category | Phone | Price (USD) | “Master of Pwn” Points |
| Obtaining Sensitive Information | Apple iPhone | $50,000 | 10 |
| Google Nexus | $50,000 | 10 | |
| Samsung Galaxy | $35,000 | 7 | |
| Install Rogue Application | Apple iPhone | $125,000 | 23 |
| Google Nexus | $100,000 | 20 | |
| Samsung Galaxy | $60,000 | 15 | |
| Force phone unlock | Apple iPhone | $250,000 | 42 |
The first contestant to successfully compromise a target within each selected category will win the prizes for the category. To compromise a target during the contest, a contestant has three attempts during a 20-minute time slot in which to complete the exploit. Each of these attempts will be limited to a time period of 5 minutes. An attempt must be launched from the target under test by either browsing to the malicious content in the default browser or by viewing or receiving a malicious MMS/SMS message. The full rules can be found here.
The Master of Pwn – now with Style Points!
We introduced the Master of Pwn title at this year’s Pwn2Own, and we’re extending it to Mobile Pwn2Own as well. Rather than have people speculate on a “biggest winner,” we formalized the process (and made a smoking jacket for it!). Points are awarded for each successful exploit, and the contestant with the highest total points at the end of the contest will receive 65,000 ZDI reward points (estimated at $25,000). For Mobile Pwn2Own, we’re adding style points for the more resilient and mature exploits. Here’s how it breaks down:
| Style Bonus | Criteria | Prize (USD) | “Master of Pwn” Points |
| Sniper Bonus | Successful in the first attempt | $0 | +2 |
| Strength Bonus | Successful three times in a row | $0 | +3 |
| Stealth Bonus | Exploit chain must demonstrate full process continuation on the first attempt | $2,500 | +4 |
| Supreme Bonus | Executing code with kernel privileges | $10,000 | +5
|
For example, if a contestant has two successful entries (Obtaining Sensitive Information on the Apple iPhone with the Sniper Bonus and Install Rogue Application on the Samsung Galaxy S7 with the Sniper and Strength Bonuses) their total points would be 32 points.
The Complete Details
The full set of rules for Mobile Pwn2Own 2016 is available here. They may be changed at any time without notice. We encourage entrants to read the rules thoroughly and completely should they choose to participate.
Registration is required to ensure we have sufficient resources on hand at the event. Please contact ZDI at zdi@trendmicro.com to begin the registration process. (Email only, please; queries via Twitter, blog post, or other means will not be acknowledged or answered.) If we receive more than one registration for any category, we’ll hold a random drawing to determine contestant order. Registration closes at 5:00 p.m. Pacific Time on October 24, 2016.
The Results
During the contest, Trend Micro’s Simply Security blog will be updated periodically with blogs and photos with the results from the competition. Follow us on Twitter at @thezdi and @trendmicro, and keep an eye on the #MP2O hashtag for continuing coverage.
We look forward to seeing everyone in Tokyo, and we look forward to seeing what exploits they bring with them. Dewa mata suguni ne.
Press
Please direct all Mobile Pwn2Own or ZDI-related media inquiries to zdi@trendmicro.com; and for Trend Micro specific questions, please contact Jerrod Resweber at publicrelations@trendmicro.com.
