This new iteration of Pwn2Own mobile hacking contest targets iOS and Android
The mobile Pwn2Own hacking contest is back!!! This time a top prize of $250,000 is being offered to any security researcher who forces an Apple iPhone to unlock.
Earlier this year, the Zero Day Initiative (ZDI) group that sponsors the Pwn2Own event was sold to Trend Micro by Hewlett Packard Enterprise (HPE), which resulted in the event going through a bit of a changeover. The browser edition of the Pwn2Own event that was held in March was jointly sponsored by HPE and Trend Micro. It will be the first time a Pwn2Own event (mobile Pwn2Own 2016 contest) that is being scheduled to be held next month would not benefit from HPE sponsorship.
“To us, it’s still Pwn2Own,” Brian Gorenc, senior manager of vulnerability research at Trend Micro, told eWEEK. “We always hope each contest brings us something new we haven’t seen before, but if you’ve seen the contest, it should look very familiar.”
A total of $460,000 in prize money to researchers was awarded by ZDI for publicly exhibiting new zero-day exploits in web browsers during the 2016 Pwn2Own browser event, which was held at the CanSecWest conference in Vancouver.
The total available prize pool is set to top $500,000 at the PacSec Security Conference in Tokyo that is scheduled to held the mobile Pwn2Own event on October 26-27. ZDI is asking researchers to target three specific mobile devices for the 2016 mobile event: the Apple iPhone 6s, the Samsung Galaxy Note 7 and the Google Nexus 6p.
ZDI is tasking researchers with several challenges across all of the targeted devices. Firstly, ZDI is awarding $50,000 to those who can compromise a device to obtain sensitive information on the iPhone or the Google Nexus. Further, an award of $35,000 will be given to the researcher who is able to get sensitive information off a Galaxy device.
The second challenge at the mobile Pwn2Own 2016 is to install a rogue application on a targeted device. The installation of a rogue app by a researcher on the iPhone, Google Nexus, and Samsung Galaxy would fetch $125,000, $100,000 and $60,000 prizes respectively.
“Each phone will be running the latest operating system available at the time of the contest, and all available patches will also be applied,” Gorenc said. “This can lead to some late nights as ZDI researchers update phones in the days leading up to the contest, but we feel it’s best to have the latest and greatest targeted.”
All the targeted devices will be in their default configuration, Gorenc said. This means that Pwn2Own contestants must target Safari on iOS, as this is the default browser and most common, realistic situation for users of that device. Several WebKit browser rendering engine related vulnerabilities have been exhibited by Pwn2Own contestants in the past. WebKit is the essential rendering engine behind Safari and has many components that are also used in Google’s Chrome.
“The threat landscape shifts so much from contest to contest that it’s hard to predict what component will be targeted,” he said. “WebKit will likely make an appearance, but we’re hoping to see some new techniques and research as well.”
Gorenc said that ZDI has no requirements for the app for the installation of the rogue application. “We will leave it up to the contestant to express their creativity during the public demonstration,” he said.
The researcher who is able to successfully force an iPhone to unlock will be awarded the biggest single prize at the mobile Pwn2Own 2016 event. The challenge of unlocking an iPhone has been a hot topic in recent months. As much as $1.3 million has been reportedly paid by the FBI to bypass the iPhone lock screen.
Apple has started its own bug bounty program, with a $200,000 prize, while security firm Exodus Intelligence will pay a top prize of $500,000 for an iOS zero-day flaw.
Offering $250,000 for an iPhone unlock exploit is lucrative prize money, believes Gorenc.
“We feel this amount is not a bad payday for what will clearly be a significant amount of research needed to accomplish this hack,” he said. “Along with the money, the researcher will get the recognition that comes with winning Pwn2Own.”
Finally, it’s the marketplace that will let ZDI know if $250,000 is a fair price, says Gorenc. However, he is hopeful that someone will actually make an effort to force an iPhone to unlock in the public.
“Finally, by reporting this through ZDI, the bugs will actually get fixed by the vendor,” Gorenc said. “That’s better than some of the alternatives.”