The 2016 edition of Mobile Pwn2Own has wrapped, and the contestants demonstrated some unique attacks against the iPhone 6S and Nexus 6P. By the end of the day, researchers showed how phones – even while running the latest software and patches – could have a rogue application installed and pictures or data stolen. With multiple successful exploits, Tencent Keen Security Lab Team claimed the title of Master of Pwn with 45 points and $215,000 total awarded.
The competition started with Tencent Keen Security Lab Team targeting a Google Nexus 6P. Their attempt to install a rogue application succeeded earning them $100,000. They combined two different bugs in Android then leveraged other weaknesses within the OS on their first and subsequent attempts. By acing all three attempts, they earned the sniper, strength, and stealth style point bonuses. In the end, they tallied up $102,500 USD and 29 points towards Master of Pwn.
Next, Tencent Keen Security Lab Team targeted the iPhone 6S with a rogue application. The app did install, but it didn’t persist after a reboot of the phone. As such, this only counts as a partial success. Still, they used some interesting bugs that should be fixed. These bugs earned them a $60,000 USD award but no Master of Pwn points.
Robert Miller and Georgi Geshev from MWR Labs then took their turn targeting the Google Nexus 6P with a rogue application installation. Sadly, it seems a recent Chrome patch made their exploit too unstable. They were not able to install a rogue application on the phone within the allotted time. They still showed some innovative research that purchased through normal ZDI channels.
The final entry saw Tencent Keen Security Lab Team target the iPhone 6S to leak photos. They combined a use-after-free (UAF) bug in the renderer and a memory corruption bug in the sandbox to steal a photo from the phone. This earned the team another $52,500 USD and, thanks to style points for sniper and stealth, another 16 point towards Master of Pwn. We disclosed the bugs involved to Apple through our standard disclosure process via email.
With two successful and one partial success, Tencent Keen Security Lab Team was awarded the title of Master of Pwn with total winnings of $215,000 and 45 points. Congratulations on some great research.
This contest revealed some fantastic research in the realm of mobile security. The market for software vulnerabilities continues to evolve and mature – especially in the mobile space. Bugs are becoming more valuable, and researchers have a variety of options on what to do with the flaws they discover in popular phones. As entertaining as the Mobile Pwn2Own competition may be, it exposes the seriousness of understanding the current threats and weaknesses. This year’s competition succeeds in that regard. While not every entry was declared a full winner, all of them used flaws in phones that should be addressed by the vendor.
Thanks again to the research teams that participated in this year’s contest. It was great seeing everyone who attended, and we look forward to seeing everyone again in 2017!