This week has been supremely dynamic in the global smartphone industry. After the launch of the newest models by the biggest industry players, now the 6th annual Mobile Pwn2Own 2017, in Tokyo, has been a cherry on the top. World’s top security advisors and researchers tested the security features offered by a range of smartphones through new zero-day attacks against fully patched mobile devices.
Mobile Pwn2Own is the contest organized by Zero Day Initiative, an online cyber-security platform for developers and researchers.
This year has been the largest ever mobile edition of the Mobile Pwn2Own where almost half a million dollars have been given away as prize money to the contestants. Six groups of participants took part in the mobile hacking competitions through the course of 2 days. The hacking was done under the categories such as:
Contestants targeted web browsers of Apple (Safari), Goggle (Chrome), and Samsung’s internet browser to exploit vulnerabilities and plant bugs to hack and steal.
Short Distance & Wi-Fi
Attacks were initiated via Bluetooth, NFC and local area Wi-Fi networks.
Mobiles were targeted and attack via a rogue device which interacts with the victim and later, proceeds to infiltrate and hack it.
There were more than 13 attempts made at various popular mobile devices with 32 new bugs planted. Although Apple and Samsung released new patches just before the night the contest began, ZDI confirmed that all devices had been upgraded with the new patches over the night to make sure they were running on the latest possible OS versions.
Here are some of the most prominent highlights from the event:
iPhone 7 bugged via Wi-Fi
360 Security targeted Wi-Fi on the Apple iPhone 7. They used three different bugs to exploit the vulnerability. Although it was not as comprehensive of a hack as they would have hoped for, still they managed to extract data from an iPhone just by connect it to the Wi-Fi. This attempt earned them $20,000 and 6 points to the Master of Pwn. However, another attempt by the 360 Security was made later at the Apple Safari iPhone 7 where they were successful in extracting sensitive data by using 2 bugs, one in the system and another on the browser. This attempt earned them a further $25,000 and also resulted in 10 points to the Master of Pwn.
A spokesperson from Apple told media that they have been made aware of the issue and are now currently working towards fixing it.
The bugs will be made public within 90 days until Apple comes up with a proper patch and reasoning for the flaw.
Other noticeable successful Hacks
- MWR Labs attacked Huawei Mate9 Pro by using 5 separate bugs which earned $25,000
- MWR Labs were successful in leaking and hacking protected date from the Samsung Note 8 by using eleven separate bugs to target the device in an elaborate attempt earning $25,000 and 11 points to the Master of Pwn
The final standings at the close of final day at the event have been as follows: