The Results – Mobile Pwn2Own Day One

The first day of Mobile Pwn2Own 2017 has come to a close, and we’ve awarded a total of $350,000 and 55 Master of Pwn points. Today saw five successful attempts and two failed attempts as the ZDI program acquired 11 bugs for the Samsung Galaxy S8, Apple iPhone 7, and the Huawei Mate9 Pro.

There was quite a bit of action prior to the contest, as Apple, Google, and Huawei all released last-minute patches in the middle of the night. Our team updated before breakfast, as we want to ensure the demonstrated bugs work against the very latest version of the OSes and applications. Perhaps the timing of the updates was coincidental, but the early morning patches were applied regardless.

The official contest day began with our random drawing for order, which put Tencent Keen Security Lab (@keen_lab) targeting the Samsung Internet Browser on the Samsung Galaxy S8 up first. Unfortunately, the attempt failed as they could not get their exploit chain to work within the allotted time.

Next up, 360 Security (@mj0011sec) also attempted to exploit the Samsung Internet Browser on the Samsung Galaxy S8. They succeeded in getting the browser to run their code, then leveraged a privilege escalation in a Samsung application to persist through a reboot. These two bugs earned them $70,000 and 11 points towards Master of Pwn.

Following that, Tencent Keen Security Lab (@keen_lab) returned to target the Near Field Communications (NFC) feature of the Huawei Mate9 Pro. This attempt also failed to work within the allotted time.

Fortunately, Tencent bounced back with a successful WiFi exploit on the Apple iPhone 7. They used a total of four bugs to gain code execution and escalate privileges to allow their rogue application to persist through a reboot. They earned $60,000 for the WiFi exploit and added $50,000 for the persistence bonus – a total of $110,000 and 11 Master of Pwn points. This screenshot may not look like much, but all it took was connecting to a WiFi network to get the “KeenLab” app to appear.

And just to confirm – yes, we updated our iPhone targets to iOS 11.1 prior to the contest.

Tencent Keen Security Lab was on the clock once more as they targeted the Safari Browser on the Apple iPhone 7. It took them just a few seconds to successfully demonstrate their exploit, which needed only two bugs – one in the browser and one in a system service to allow their rogue app to persist through a reboot. As the second finisher in the Browser category, they earned half of the cash award at $45,000, but still earned the full 13 Master of Pwn points.

Next, Richard Zhu (fluorescence) also targeted the Safari Browser on the Apple iPhone 7. He used a bug in the browser and an out-of-bounds bug in the broker to escape the sandbox and execute code. The short demo earned him $25,000 and 10 Master of Pwn points.

Our final entry for Day One saw Tencent Keen Security Lab perform a baseband attack on the Huawei Mate9 Pro. They successfully demonstrated a stack overflow resulting in code execution on the baseband processor. They modified the IMEI, which could cause wide-ranging service disruptions if done in the wild. This is the first baseband exploit ever submitted to the ZDI program and requires a firmware update to fix the underlying issue. The demonstration earned them $100,000 and 20 Master of Pwn points.

It was a great beginning to the first day of our largest mobile competition ever. If you’re keeping track of Master of Pwn, Tencent Keen Security Lab has a commanding lead with 44 points. Tomorrow looks like an action-packed day as well, with contestants targeting browsers on the iPhone, Samsung, and Huawei handsets, plus another(!) baseband exploit.

Be sure to check back tomorrow for the Day Two schedule and results.