Hacking. A term that is thrown around so much these days even though most have no idea what it is or how it works. But those big companies who do know what it implies, are working hard to secure things. This has resulted in an interesting culture of hacking competitions where you get paid to hack, instead of being put in jail. Recently, Google announced such a competition offering upto $200K to anyone who hacks a Nexus 6P or Nexus 5X.
But this was another competition called Pwn2Own, the mobile-edition of it, sponsored by Trend Micro – the antivirus company -offering cash prizes to anyone who could get user info, install rogue apps, or completely unlock some of the biggest mainstream phones out there: the Nexus 6P, the Galaxy S6, and the iPhone 6s.
The Tencent Keen Security Lab team managed to get a rogue app installed on the phone, accessing user data but not fully unlocking the device using multiple Android bugs that were present even in a Nexus 6P that was equipped with the latest monthly security patches. The team performed three successful attacks in various “sniper,” “strength,” and “stealth” categories, winning $102,500.
They also managed to get a rogue app to install on the iPhone 6S however it did not persist after rebooting. So that counted as a partial success but did bring them $60,000 for it. The Tencent team also was able to leak photos from the iPhone 6S successfully which earned them another $52,500.
It’s interesting to note that nobody managed even a partial or less than partial attack successfully on the Galaxy S7.
Overall the team scored 45 points and got a hefty $215,000 in prize money. According to the Mobile Pwn2Own rules, the vulnerabilities in the Nexus 6P and/or Android that allowed the attack will be disclosed to Google for patching.
Source: Trend Micro