It’s a good time to be a security researcher. If you have the time and talent to find vulnerabilities in widely deployed applications, there is a lot of money out there for the taking, and not just from the bug bounty programs and regular exploit buyers.
The latest iteration of the Pwn2Own hacking contest, which has run at the CanSecWest conference in Vancouver for several years, will take place at the Japanese version of the conference in November, and the targets will be the most popular mobile platforms. The prizes for the contest reflect the changing nature of the vulnerability landscape, and the fact that there is far more competition for good vulnerabilities–both out in the open and on the underground–than there has been before.
The targets in the contest include some of the more popular mobile devices on the market, including the iPhone 5, Nexus 4, Galaxy 4, 7 and 10, iPad Mini and BlackBerry z10.
The money available in the mobile Pwn2Own contest at PacSec is significant: $300,000 total, including $70,000 for the first successful exploit against any of the popular messaging services, such as SMS, MMS or CMAS. Exploits that compromise mobile devices via Bluetooth, WiFi, USB or NFC are worth $50,000. On top of that, Google is offering a bonus of $10,000 if one of the exploits compromises Chrome on Android on the Nexus 4 or Galaxy 4.
That’s real money, and in the past, some of the more talented security researchers in the industry have shown up at Pwn2Own to collect large checks from HP, the main sponsor of the contest, and Google. But, as the exploit sales market has exploded in the last couple of years, with government agencies, defense contractors and private buyers ratcheting up the prices, more and more researchers have opted to keep their research private and sell their bugs on the open market rather than use them in a contest. With prices running well into the six figures for browser exploits, it’s no wonder.
“Prices are too low for giving full exploit + sandbox bypass. Price for NFC/USB is good,” Chaouki Bekrar of VUPEN, a seller of exploits to governments, said on Twitter after the announcement for mobile Pwn2Own went out on Thursday.
Bekrar’s team has been a major player at Pwn2Own the last few years, but has avoided entering other contests, such as Google’s Pwnium, because they require the contestants to turn over full details of the vulnerability and exploit, rather than just the crash details. The requirements for mobile Pwn2Own make it clear that the bugs that qualify for prizes would likely draw a much higher price on the open market.
“A successful attack against these devices must require little or no user interaction and the initial vulnerability used in the attack must be in the registered category. The contestant must demonstrate remote code execution by bypassing sandboxes (if applicable) and exfiltrating sensitive information, silently calling long-distance numbers, or eavesdropping on conversations,” the rules say.
That class of vulnerability is highly valuable to government buyers, and fewer and fewer researchers appear willing to accept half or a third of what they could get on the open market.
Image from Flickr photos of Sean McMenemy.