Security researchers broke the Google Pixel, Apple’s Safari browser, and the Microsoft Edge browser running on Windows 10 at PwnFest 2016.
Teams of white-hat hackers register to compete in PwnFest to see who can gain system-level access to a variety of technologies in the shortest amount of time.
Sounds fun! But that’s not all. It also pays well to those who win… like, hundreds of thousands of dollars well. One of the competitors, Chinese security firm Qihoo 360, walked away from the competition with more than half a million dollars (US $520,000).
How? By being one of the best at what they do.
On Friday, Qihoo 360’s hackers leveraged an undisclosed vulnerability to achieve remote code execution on the Google Pixel. Google will now work on a fix for the issue, a bug which by itself netted the team US $120,000.
The successful compromise is the second time hackers have compromised the Pixel in recent weeks.
The first to do it was the Qihoo 360 rival Keen Team of Tencent at the Mobile Pwn2Own event in Japan. Those hackers later demonstrated at PwnFest how they were able to obtain system-level privileges on the phone, including access to the device’s contacts, SMS messages, phone number, and other features.
That exploit is shown in the video below.
Here are a few additional highlights from PwnFest 2016:
- In 20 seconds flat, the Pangu Team abused a root privilege escalation bug to break Apple’s Safari browser and win 80,000 USD.
- South Korean hacker Lokihardt smashed Microsoft Edge running on Windows 10 in just 18 seconds, earning for himself 140,000 USD in the process.
- Qihoo 360 exploited a use-after-free zero day and a win32k kernel flaw to pop Flash. All it took was four seconds to win the 120,000 USD prize money.
We’ve all heard about bugs in Safari, Flash (too many to count, in fact), and other software. What makes PwnFest fun is the ability for researchers to research a method of attack, demonstrate it in front of their peers, and win some moolah in the process.
At the same time, none of the PwnFest exploits are made public. Those who compete at and sponsor PwnFest (well…maybe except for Google…) support the idea of responsible disclosure. That’s why exploits go straight to the vendors so that they can develop appropriate fixes.
Money… fame… security fixes… PwnFest is a win-win for all.
I tip my hat to Darren Pauli of The Register for his excellent coverage of this year’s competition.