The mobile edition of the Pwn2Own hacking contest is returning for its sixth year, with a prize pool of $500,000 and new targets for security researchers. The event is scheduled to be held at the PacSec 2017 conference in Tokyo Nov. 1-2.
Pwn2Own is operated by Trend Micro’s Zero Day Initiative (ZDI) and has both desktop and mobile events. At the Pwn2Own 2017 event held in March for desktop and server exploits, security researchers demonstrated 51 new zero-day vulnerabilities and were awarded a total of $823,000 for their efforts.
At the last Mobile Pwn2Own event, which was held in October 2016, security researchers were awarded a total of $215,000 in prize money for successfully demonstrating new zero-day exploits against fully patched Android and iPhone devices. The biggest single prize that ZDI offered at the event, however, went unclaimed as no researcher was able to demonstrate an exploit that would force an iPhone to unlock. ZDI was set to pay out $250,000 for the iPhone unlock exploit.
“While we do consider last year to be successful, we’re always hopeful we see more and better exploits at each competition,” Brian Gorenc, director at Trend Micro Zero Day Initiative, told eWEEK.
At the Mobile Pwn2Own 2017 event, researchers will take aim at fully patched Apple iPhone 7, Samsung Galaxy S8, Google Pixel and Huawei Mate9 Pro devices. Among the categories included in the Mobile Pwn2Own 2017 event are browser, WiFi, Bluetooth and messaging (SMS). The largest single prize that ZDI is offering is $100,000 for mobile baseband vulnerabilities.
WiFi vulnerabilities will earn researchers up to $60,000 for successfully demonstrating new zero-day exploits. Gorenc said that in the WiFi category, ZDI is looking for attacks similar to Jüri Aedla’s entry from Mobile Pwn2Own 2014.
“Aedla abused a vulnerability in the WiFi stack to execute arbitrary code,” he said. “Any functionality that is used to handle WiFi traffic is in scope.”
ZDI will also award $60,000 for successful exploits of SMS and MMS messaging services.
“We will be looking for any entry that is focused on code triggered when receiving, parsing and displaying an MMS/SMS message,” Gorenc said.
Researchers provide full details on successful exploits to ZDI, which in turn privately discloses the information to an impacted vendor. In past years, ZDI gave vendors 120 days to patch any demonstrated flaws before they were publicly disclosed, but that is changing for the 2017 mobile event to only 90 days.
“It’s true different vendors patch at different speeds, but we have seen mobile vendors patch within a 90-day window,” Gorenc said.
Gorenc added it’s important to remember that to win a Mobile Pwn2Own category, security researchers need a fully functioning exploit. As such, a demonstrated attack at Pwn2Own takes a vulnerability beyond the realm of the theoretical and into near active attack status.
“Vendors should be capable of responding to an active attack within 90 days,” Gorenc said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.