Pierluigi Paganini October 26, 2016

Tencent Team Keen won $215k at PWN2OWN Mobile by hacking Nexus 6p and using two exploits for the iPhone iOS 10.1 … all in just 5 minutes each round.

Yesterday I was writing about the possibility to hack an Apple device just by opening an image or a PDF, today I desire to inform you that the Keen team at Mobile Pwn2Own contest has hacked a Nexus 6P in five minutes.

Yes, you’ve got it right!, The Keen hackers compromised Nexus 6P using a malware that doesn’t request user interaction, and the entire attack lasted less than five minutes.

This year two teams have participated the competition, the Tencent Keen Security Lab Team, and Robert Miller and Georgi Geshev from MWR Labs.

The hackers of the Keen Team won US$102,500 in prizes for this hack, overall price for the various hacks is US$375,000 that will be assigned by the Trend Micro’s Zero Day Initiative. The team also received 29 Master of Pwn points for the exploit.

Maybe first Nexus 6p remote pwn in the world?Good job @flanker_hqd @dmxcsnsbh #MP2O pic.twitter.com/twPFj9FLsP

— KEENLAB (@keen_lab) 26 ottobre 2016

The researchers exploited a combination of two vulnerabilities and other Android security issues. The Zero Day Initiative (ZDI) awarded them $102,500 and 29 Master of Pwn points for the hack.

In the contest hackers will target a wide range of devices, including Nexus 6P, Apple iPhone 6S, and Samsung Galaxy S7.

Keen also targeted the iPhone 6S attempting to install a malicious app, but the attack was only partially successful because the application did not gain the persistence due to a default configuration setting. In this case, the hackers earned $60,000 of $125,000 for the flaw they have exploited.

The Keen Lab team earned also $52,500 and further 16 Master of Pwn points for stealing photos from an iPhone 6S via a use-after-free vulnerability in the renderer and a memory corruption bug in the sandbox. It is interesting to note that the attack was successful despite Apple has released the new version of its mobile OS, iOS 10.1 .

The second team, composed of Miller and Geshev from MWR Labs attempted to install a malicious app on a Nexus 6P, but their exploit was stable due to a recent improvement in the Chrome browser.

Of the overall payout of $375,000, researchers earned $215,000.

It is important to praise the spirit of these experts that participated to the Mobile Pwn2Own 2016. Selling their exploits to intelligence agencies or to a zero-day broker firm, they would earn much more.

Pierluigi Paganini

(Security Affairs – Mobile Pwn2Own, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]