The second day of this year’s Mobile Pwn2Own hacking contest on Nov. 2 brought with it more exploits, including the longest exploit chain ever seen at a Pwn2Own event.
Mobile Pwn2Own 2017 ran from Nov.1-2 in Tokyo and resulted in the disclosure of 32 vulnerabilities involving Apple, Samsung and Huawei mobile devices. By the end of the two-day event, Trend Micro’s Zero Day Initiative (ZDI), which runs the Pwn2Own contest, had awarded a grand total of $515,000 in prize money for the successfully demonstrated exploits. ZDI has privately disclosed all of the vulnerabilities to the impacted vendors so the issues can be patched.
A highlight of the event was a remarkably sophisticated and elaborate exploit demonstrated by MWR Labs against the Samsung Galaxy S8 and its default internet browser. Rather than using just a single software flaw, the MWR Labs researchers used 11 different bugs, spread across six different applications on the Galaxy S8, in order to execute arbitrary code and leak potentially sensitive data. The exploit was also able to persist after the device was rebooted. ZDI awarded MWR Labs $25,000 for the whole exploit chain.
MWR Labs was also able to use an exploit chain to attack the Google Chrome web browser running on a Huawei Mate9 Pro mobile device. The MWR Labs researchers used five different logic bugs to escape the Chrome browser sandbox and then exfiltrate data. MWR Labs earned an additional $25,000 for the Huawei exploit.
Apple’s iPhone 7 was a primary target on the first day of Mobile Pwn2Own 2017, and the phone was once again on the target list on the second day of the hacking contest. On Day 1, researchers from Tencent Keen Security Lab as well as independent security researcher Richard Zhu demonstrated new zero-day exploits.
On the second day, researchers from Qihoo 360 Security took aim at the Safari web browser on the iPhone 7 running iOS 11.1 and were able to successfully exploit the device with two bugs. The exploit chain involved one flaw in the browser and one in an iOS system service that enabled the researchers to exploit Safari. ZDI awarded the team from Qihoo 360 Security $25,000 for the whole exploit chain.
The second day of Mobile Pwn2Own 2017 also brought the second zero-day exploit against cellular baseband. The baseband is the component that manages all the radio functions on a cellular device. On Day 1 of the event, Tencent Keen Security Lab successfully demonstrated a baseband exploit against the Huawei Mate9 Pro. On Day 2, a researcher publicly identified only as “Acez” was able to demonstrate a baseband flaw on the Samsung Galaxy S8 smartphone that used a stack buffer overflow error that enabled code execution. ZDI awarded Acez $50,000 for the exploit.
After two days of security exploits, $515,000 in prize money was awarded, which is more than double the $215,000 that ZDI awarded at the 2016 mobile event.
The mobile version of Pwn2Own was the second Pwn2Own event in 2017, following the desktop and server edition that was held in March in Vancouver, Canada. At that event, ZDI awarded a total of $823,000 for 51 different zero-day vulnerabilities.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.