Welcome to Mobile Pwn2Own 2017 – Day One

October 31, 2017 | Dustin Childs

こんにちは and welcome to Mobile Pwn2Own 2017 -- coming to you from PacSec at the Aoyama St. Grace Cathedral in Tokyo, Japan. The venue provides an air of righteousness to the research, and this year promises to be the largest ever mobile edition of the Pwn2Own competition with more than $500,000 USD available for contestants. And no Pwn2Own would be complete without crowning a Master of Pwn and awarding the coveted MoP jacket.

We have six groups of contestants lined up to attempt to exploit four of the world’s most popular handsets in the following categories:

Browsers
In this category, contestants will target Google Chrome, Apple Safari, or the Samsung Internet Browser – and yes, Samsung’s web browser is just called Internet Browser.

Short Distance and WiFi
In this category, we’ll be looking at attacks happening over Bluetooth, near field communication (NFC), or WiFi.

Baseband
The final category will cover attacks in which the target device communicates with a rogue base station.

The full list of targets and awards – along with the complete rules – can be found here.

In total, we’ll have 13 different attempts, with seven occurring today and six more tomorrow. The full schedule for Day One is below (all times JTZ [UTC+9:00]). We will update this schedule with results as they become available.

Day One – November 1, 2017

10:00 – Tencent Keen Security Lab (@keen_lab) targeting the Internet Browser on the Samsung Galaxy S8

FAILURE: The contestant could not complete their exploit chain within the allotted time.

11:00 – 360 Security (@mj0011sec) targeting the Internet Browser on the Samsung Galaxy S8 (with persistence)

SUCCESS: 360 Security (@mj0011sec) demonstrated a bug in the Samsung Internet Browser to get code execution, then leveraged a privilege escalation in a Samsung application a persist through a reboot. This earns them $70,000 and 11 Master of Pwn points.

12:00 – Tencent Keen Security Lab (@keen_lab) targeting NFC on the Huawei Mate9 Pro

FAILURE: The contestant could not complete their exploit chain within the allotted time.

13:30 – Tencent Keen Security Lab (@keen_lab) targeting WiFi the Apple iPhone 7

SUCCESS: Tencent Keen Security Lab gets code exectution through a WiFi bug and escalates privileges to persist through a reboot. The four bugs used earn them a total of $110,000 and 11 Master of Pwn points.

15:00 – Tencent Keen Security Lab (@keen_lab) targeting the Safari Browser on the Apple iPhone 7

SUCCESS: Tencent Keen Security Lab uses 2 bugs, one in the browser and one in a system service, to exploit Safari. They earn $45,000 as the second winner in the Browser category and 13 Master of Pwn points.

16:30 – Richard Zhu (fluorescence) targeting the Safari Browser on the Apple iPhone 7

SUCCESS: Richard Zhu (fluorescence) leveraged two bugs to exploit Safari and escape the sandbox - successfuly running code of his choice and earning $25,000.

18:00 – Tencent Keen Security Lab (@keen_lab) targeting baseband on the Huawei Mate9 Pro

SUCCESS: Tencent Keen Security Lab uses a stack overflow in the Huawei baseband processor, earning themselves $100,000 and 20 Master of Pwn points.

We look forward to seeing the innovative research and attack techniques demonstrated by this year’s contestants. Once we verify the research presented is a true 0-day exploit, we immediately disclose the vulnerability to the vendor, who then has 90 days to release a fix. Representatives from Apple, Google, and Huawei are all here and able to ask questions of the researchers if needed. At the end of the disclosure deadline, if a vendor is unresponsive or unable to provide a reasonable statement as to why the vulnerability is not fixed, the ZDI will publish a limited advisory including mitigation in an effort to enable the defensive community to protect users.

We’ll update this blog with results as they become available. Follow us on Twitter for the latest information, and check back for our end-of-day blog recapping all of the results and awards.