One of the more interesting things to emerge from the digital revolution is hacking competitions and prizes, wherein benevolent "white hat" hackers are invited to try and defeat hardware and software in a closed environment. The latest mobile-only edition of the Pwn2Own competition was sponsored by software security company Trend Micro, offering cash prizes to anyone who could get user info, install rogue apps, or completely unlock some of the biggest mainstream phones out there: the Nexus 6P, the Galaxy S6, and the iPhone 6s.
The Tencent Keen Security Lab Team was up to the challenge. Using multiple Android bugs that were present even in a Nexus 6P that was equipped with the latest monthly security patches, the team managed to get a rogue app installed on the phone, accessing user data but not fully unlocking the device. With three successful attacks in various "sniper," "strength," and "stealth" categories, the team earned $102,500 in total prize money. Another team, using an attack that relied on a subsequently-patched mobile Chrome vulnerability, couldn't achieve the same results.
Tencent Keen also managed to get a rogue app to persist on an iPhone 6S after a reboot, counting as a partial success. There's no mention of a successful attack on the Galaxy S7 in Trend Micro's after-event report. All in all, the Tencent Keen team scored enough hacking and "style" points to earn $215,000 in prize money. According to the Mobile Pwn2Own rules, the vulnerabilities in the Nexus 6P and/or Android that allowed the attack will be disclosed to Google for patching.
- Trend Micro