Chinese research group takes top spot in annual mobile security challenge

The sixth annual Mobile Pwn2Own competition ended in Tokyo yesterday, with the world’s leading mobile security research teams battling it out to take the ‘Master of Pwn’ crown.

Organized by the Zero Day Initiative (ZDI), this year’s Mobile Pwn2Own competition was hailed as the bug bounty group’s biggest-ever mobile security event. Top researchers demonstrated attacks on the most popular mobile devices to take a slice of the $500,000 prize pool.

Similar to ZDI’s flagship OS, server, and applications contest, Pwn2Own, the mobile version of the event highlights the latest techniques in exploiting mobile devices through various communication channels.

This year, four different targets were made available: Google Pixel, Samsung Galaxy S8, the Apple iPhone 7, and the Huawei Mate9 Pro. Challengers were tasked with targeting the devices’ browsers, WiFi, messaging system, and baseband.

Keen Security Lab of China took the top spot in 2017, with 44 points, followed by 360 Security (27 points), and MWR Labs (21 points). A total of 32 unique bugs were submitted to the program over both days.

Among this year’s Mobile Pwn2Own highlights, 360 Security successfully enabled the Samsung S8 browser to run their code before leveraging a privilege escalation in an app to persist through a reboot.

Keen Security launched a successful WiFi exploit on the iPhone 7, using a total of four bugs to gain code execution and escalate privileges to allow a rogue application to persist through a reboot.

The researchers at Keen, part of Chinese tech conglomerate Tencent, also successfully demonstrated a baseband attack on the Huawei device – the first such exploit ever submitted to the ZDI program.

“We awarded contestants $515,000 and multiple phones – they Pwn them so they do Own them,” the organizers said. “Congratulations to Keen Security Lab on being awarded the Master of Pwn. It was certainly well deserved, as they demonstrated some unique exploits.”

All bugs were privately disclosed to the vendors following the event.