At the 2016 mobile Pwn2Own event, held on Oct. 26 in Tokyo, security researchers were able to exploit devices that vendors had fully patched. In total, Trend Micro’s Zero Day Initiative (ZDI) awarded $215,000 to researchers for security flaws in an Android Nexus 6P and an Apple iPhone 6S
“We’re always pleasantly surprised by the quality of research presented at Pwn2Own competitions,” said Dustin Childs, director of communications for ZDI. “Beyond that, we were somewhat surprised by the amount of entries targeting the installation of rogue applications and the ease with which they did it.
“Tencent’s Keen Security Lab Team was able to successfully install a rogue application on a fully patched Google Nexus 6P, which earned a $102,500 award. The Keen Security Lab Team discovered and exploited two new vulnerabilities in Android to install the rogue application.
The Keen Security Lab Team attempted to install a rogue application on an Apple iPhone 6S, with limited success. Although the researchers were able to get the rogue app to install, it did not stay on the device after a reboot. ZDI awarded the Keen Security Lab Team $60,000 for its partial success. A full compromise of the iPhone 6S that would have enabled a rogue application to be installed and then persist after reboot would have earned a $125,000 award.
The iPhone 6S was further exploited by the Keen Security Lab Team to a hack that was able to leak photos from the devices. According to ZDI, the researchers employed a use-after-free memory flaw as well as a memory corruption bug in order to steal the photos. The photo leakage hack earned the researchers a $52,500 award.
Not every attempt at the mobile Pwn2own event was successful. Robert Miller and Georgi Geshev from MWR Labs were unable to successfully install a rogue application on the Nexus 6P, as a result of a patch to Google Chrome that came out just ahead of the contest.
“The subsystem they were relying on for their exploit became unreliable with the latest release of Google Chrome,” Childs said. “This resulted in some program instability unrelated to the exploit.
“Perhaps most notably, the biggest prize that ZDI was offering at the event went unclaimed; it was for an exploit to force an iPhone to unlock, which would have earned the successful researcher a $250,000 prize.