HP to Offer $300,000 in Awards for Mobile Hacks at Pwn2Own 2013

Hewlett-Packard is set to host its second annual Mobile Pw2own competition this November at the PacSec Applied Security Conference in Tokyo. The competition will reward security researchers from a total prize pool of $300,000 for new, previously undisclosed vulnerabilities in mobile technologies.

The mobile event will be the second Pwn2own event in 2013, following the desktop browser-focused event that was held in March. It’s also the second time HP has hosted a mobile-focused Pwn2own event. At the 2012 mobile Pwn2own event, near-field communication (NFC) technology was a key target, and both Android and iOS were hacked.

Brian Gorenc, manager of the Zero Day Initiative (ZDI) at Hewlett-Packet Security Research, told eWEEK that his group has introduced several changes to Mobile Pwn2Own this year. In this year’s event, the attack surface has been widened to include Bluetooth, WiFi, and USB-based attacks.

“HP’s Zero Day Initiative, with support from its sponsors, has also increased the amount of prize money available to $300,000, compared with $240,000 last year,” Gorenc said.

A key component of every Pwn2own event is browser-based attacks, and the 2013 Mobile Pwn2own event will be no different. Gorenc noted that the usual suspects of mobile browsers, including Chrome and Safari, will be available to contestants at Mobile Pwn2Own 2013.

“All targets will be installed in the default configurations giving all contestants an even playing field,” Gorenc said.

In terms of awards, HP will pay $50,000 to the first researcher that is able to successful demonstrate a previously unknown attack against Bluetooth, WiFi, USB or NFC use on a mobile device. An award of $70,000 will be paid to the researcher that can demonstrate an attack against the Short Message Service (SMS), Multimedia Messaging Service (MMS) or Commercial Mobile Alert System (CMAS).

Mobile browser exploits will yield a $40,000 bounty. Google is also participating in the event, kicking in an additional $10,000, on top of HP’s $40,000, to the researcher who is able to successfully exploit its Chrome browser running on a Google Nexus 4 or Samsung Galaxy S4.

“There will be one winner per category, with the exception of the Mobile Browser category, which may have additional winners, sponsored by Google, if the contestant is specifically targeting Chrome or Android on the Google Nexus 4 or Samsung Galaxy S 4,” Gorenc said.

The HP ZDI group buys security vulnerabilities from researchers all year-round. As such, he has some insight into the types of vulnerabilities that are on the market, but it’s difficult to forecast what will emerge at a Pwn2Own event.

“One of the great things about Pwn2Own is that you never know what type of innovative research and attack techniques will show up,” Gorenc said.

ZDI is particularly interested in seeing exploits in the messaging services category, he added.

“These types of attacks are particularly dangerous since you don’t need to be in range of the target or get them to click on a link—all you need is a phone number,” Gorenc said.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.