Recently, the software security firm TrendMicro sponsored a hacking event called Pwn2Own, the mobile-edition, wherein they invited some white hat hackers to test their skills against 2015 smartphones, which included the Nexus 6P, the Galaxy S6, and the iPhone 6s. For those unfamiliar, Pwn2Own is a computer hacking contest held annually at the CanSecWest security conference, beginning in 2007. Contestants are challenged to exploit widely used software and mobile devices with previously unknown vulnerabilities.
The Tencent Keen Security Lab Team who were up to the challenge managed to get a rogue app installed on the phone, by using multiple Android bugs that were present even in a Nexus 6P that was equipped with the latest monthly security patches, accessing user data but not fully unlocking the device. With three successful attacks in various “sniper,” “strength,” and “stealth” categories, the team earned $102,500 in total prize money and 29 points towards Master of Pwn. Next, Tencent Keen Security Lab Team targeted the iPhone 6S with a rogue application. However, it did not persist after rebooting. As a result, it was considered as a partial success but it did fetch them $60,000 for it but no Master of Pwn points. Robert Miller and Georgi Geshev from MWR Labs then took their turn targeting the Google Nexus 6P with a rogue application installation. But as their attack depended on a subsequently-patched mobile Chrome vulnerability, they were not able to get the same results. Finally, Tencent Keen also managed to get a rogue app to target the iPhone 6S to successfully leak photos. They combined a use-after-free (UAF) bug in the renderer and a memory corruption bug in the sandbox to steal a photo from the phone. This hack earned them another $52,500 and another 16 point towards Master of Pwn. Overall, the Tencent Keen team scored enough hacking and “style” points to earn them total prize money of $215,000 and 45 points along with the Master of Pwn title. However, it is interesting to note that nobody managed even a partial or less than partial attack successfully on the Galaxy S7. The vulnerabilities in the Nexus 6P and/or Android that allowed the attack will be revealed to Google for patching, according to the Mobile Pwn2Own rules. Source: Trend Micro