Security researchers are always trying to find software or firmware holes to exploit so that they can then fix the problem before malicious hackers do the same thing. The two-day Mobile Pwn2Own competition in Japan found the iPhone 7, the Samsung Galaxy S8 and the Huawei Mate 9 Pro all vulnerable to various hacks.
The competition, part of Trend Micro's Zero Day Initiative designed to "reward security researchers for responsibly disclosing vulnerabilities," finished day one after seven attempts to hack three different smartphones. Five attempts were successful, three on the iPhone 7 running the most current operating system, iOS 11.1.
The areas that the researchers were focused on were browsers, short distance and WiFi, messaging, and broadband. The target on each phone offers it own prize money and points, with special bonus points and money for things like persistence (the exploit stays after a reboot), or if the exploit payload executes with kernel-level privileges. The researcher with the most points will also be granted the Master of Pwn title and a trophy, in addition to the prize money.
Here were the successful hacks:
- iPhone 7: Tencent Keen Security Lab got code execution through a WiFi bug and escalates privileges to persist through a reboot. ($110,000).
- Huawei Mate 9 Pro: Tencent Keen Security Lab uses a stack overflow in the Huawei baseband processor ($100,000).
- Samsung Galaxy S8: 360 Security (@mj0011sec) demonstrated a bug in the Samsung Internet Browser to get code execution, then leveraged a privilege escalation in a Samsung application, which persisted through a reboot ($70,000).
- iPhone 7: Tencent Keen Security Lab used two bugs, one in the browser and one in a system service, to exploit Safari. ($45,000).
- iPhone 7: Richard Zhu (fluorescence) leveraged two bugs to exploit Safari and escape the sandbox - successfully running code of his choice ($25,000).
There were two failed attempts, both by Tencent Keen Security Lab. One tried to exploit the internet browser on a Galaxy S8, and the other targeted NFC on the Mate 9 Pro.
The Zero Day Initiative invited representatives from each of the smartphone companies to be on hand to talk to researchers about the exploits found. If the exploit is indeed a true zero-day, the vulnerability is immediately disclosed to the vendor. They then have 90 days to release a fix, but if a vendor is not able to provide a fix or offer a "reasonable statement" on why, the ZDI team "will publish a limited advisory including mitigation in an effort to enable the defensive community to protect users."
The competition continues with six more attempts tomorrow, with the same phones being used, as well as the Google Pixel.