The Results – Mobile Pwn2Own 2017 Day Two

November 02, 2017 | Dustin Childs

The second day of our largest Mobile Pwn2Own ever closed out with contest another six attempts, bringing the total entries to a lucky 13. Today saw additional browser attacks, a bug collisions, and another baseband attack.

The day began with MWR Labs (@MWRLabs) targeting the web browser on the Huawei Mate9 Pro. They needed five different logic bugs to get code execution, but get it they did. The successful demonstration earned them $25,000 as a late entry in the Browser category and 10 more points for Master of Pwn.

Next up was 360 Security (@mj0011sec) targeting WiFi on the Apple iPhone 7. Here’s where it got interesting. After a successful demonstration, things got a bit murky in the disclosure room. 360 Security used three separate bugs to exploit WiFi on the iPhone, but one of the bugs was submitted in a previous attempt in the contest by a different competitor. Still, the other two bugs counted for a partial success, earning the team $20,000 and 6 points towards Master of Pwn. While the intrigue of a bug collision is certainly interesting, let’s not overlook the fact that 360 Security demonstrated an exploit that exfiltrated data from an iPhone just by connecting it to a WiFi network.

Following that, MWR Labs was back to show they shop for bugs in bulk. They used 11 different bugs – plus some “features” – to get code execution and leak sensitive data on the Samsung Galaxy S8. Their exploit chain started in the Samsung Internet Browser, then leveraged a bug in Google Chrome and several other Samsung applications to install an APK, which allowed them to achieve persistence through a reboot. This impressive entry represents the longest exploit chain in Pwn2Own history and earned the team $25,000 and 11 Master of Pwn points.

The team from 360 Security returned for their own attempt to exploit Safari on the Apple iPhone 7. They succeeded by using a bug in the browser and a bug in a system service to exfiltrate data. The late entry in the Browser category earned them $25,000 and 10 points towards Master of Pwn.

Team MBSD decided to withdraw their attempt on Samsung Internet Browser from the competition.

In our final entry of the contest, acez successfully demonstrated a baseband attack on the Samsung Galaxy S8. He used a stack buffer overflow, which resulted in code execution. This enabled him to write persistent data on the target handset. The exploit earned him $50,000 as the second Baseband winner and 20 points towards Master of Pwn.

That brings to a close Mobile Pwn2Own for 2017. As our largest mobile contest ever, we couldn’t be happier with the results. A total of 32 unique bugs were submitted to the program over both days. We awarded contestants $515,000 and multiple phones – they Pwn them so they do Own them. Of course, no Pwn2Own competition would be complete without crowning a Master of Pwn. Here’s the final standings:

Congratulations toTencent Keen Security Lab on being awarded the Master of Pwn. It was certainly well deserved, as they demonstrated some unique exploits.

It has been a great contest full of some amazing research. As a reminder, all purchased bugs were privately disclosed to the vendors. We will continue working with them as they develop security patches to the devices. Thanks to everyone who helped plan, coordinate, and execute this contest, and thanks to all of those who participated. We’ll see you next year!