Hackers identified a series of vulnerabilities in Android and iOS to take down a Google Nexus 6P and an Apple iPhone 6S this week at Mobile Pwn2Own.
The mobile version of the popular hacking challenge, put on by Trend Micro and Tipping Point’s Zero Day Initiative, was held in tandem with the PacSecWest security conference in Tokyo, Japan.
Keen Lab, a division of Tencent, made the biggest waves on Wednesday, using two different bugs paired with other weaknesses in Android to install a rogue application on a Nexus NP running the latest operating system, Nougat. The group then performed the same hack two more times, earning $102,500 USD.
Boom! @keen_lab succeeds in installing a rogue app on a #nexus6p. With bonuses, they earned $102,500 & 29 Master of Pwn points. #MP2O pic.twitter.com/hfbnH0eI6p
— Zero Day Initiative (@thezdi) October 26, 2016
Keen Lab attempted to install a rogue app on the iPhone 6S later that day through a series of bugs but due to default configuration settings, the app didn’t persist after a reboot. While it only earned them partial credit in the competition, Zero Day Initiative did elect to purchase the bugs, earning the hackers $60,000.
Keen Lab managed to find success with their third exploit of the day however. The group combined a use-after-free bug in the iPhone’s renderer and a memory corruption bug in the sandbox to leak a photo from the phone, earning the hackers an additional $52,500.
Perhaps even more impressive was the fact that Keen Lab was able to carry out both iPhone exploits on an iPhone running iOS 10.1, which had been released the day prior. That update coincidentally fixed a serious vulnerability in the mobile operating system discovered by Marco Grassi, a researcher with the group. Through the bug, which existed in CoreGraphics, an attacker could’ve used a malicious JPEG to achieve arbitrary code execution; Apple fixed the issue through improved memory handling.
A tweet published by Keen Lab Wednesday made it sound like the researchers – Liang Chen, Wayne Liang, Yubin Fu, and Grassi – had to work overnight to perfect the exploit.
Even with last minute update of 10.1 which made us work overnight, we success finally @Cloudlldb @fuyubin1993 @marcograss @chenliang0817 pic.twitter.com/zUtSZswDbx
— KEENLAB (@keen_lab) October 26, 2016
Keen Lab earned $215,000 for its exploits and was named Master of Pwn, a title ZDI gives to the contestant that accumulates the most points throughout the contest.
Tencent Team Keen won $215k at PWN2OWN Mobile by attacking Nexus6p and two exploits for the iPhone iOS 10.1 released yesterday(!) pic.twitter.com/A5cvCQZdI7
— dragosr (@dragosr) October 26, 2016
Keen Team’s only competition was a pair of researchers, Robert Miller and Georgi Geshev, from MWR Labs. The two also attempted to install a rogue app on the Nexus 6P but the recent Chrome update, pushed two weeks ago, made the app too unstable. The duo said their exploit worked earlier in the week but couldn’t get it working in the allotted amount of time they were given on Tuesday.
Unlike Pwn2Own, which gives contestants 15 minutes to complete an exploit attempt, contestants have three attempts, each one lasting five minutes, to compromise a device in Mobile Pwn2Own,
Keen Lab, a collective of hackers from China, has been a staple at Pwn2Own competitions for several years now.
The group partnered with PC Manager at Pwn2Own in Vancouver earlier this year to take down Safari on day one of the challenge. On the second day of the competition they used another vulnerability to carry out code execution on Microsoft’s Edge browser.
Keen made headlines again last month after it disclosed a series of bugs to automaker Tesla. The vulnerabilities, which Tesla patched via an over the air update, could have allowed a remote hacker to control a car’s blinkers, side mirrors, car seats, sunroof panel, door locks, and in-vehicle displays.