The mobile Pwn2Own hacking contest is back for 2016, this time offering top prize of $250,000 to any security researcher who forces an Apple iPhone to unlock.
The Pwn2Own contest has undergone a bit of a transition as Hewlett Packard Enterprise sold the Zero Day Initiative (ZDI) group that sponsors the event to Trend Micro earlier this year. The browser edition of the Pwn2Own event was held in March and was jointly sponsored by HPE and Trend Micro. The mobile Pwn2Own 2016 contest being held next month will be the first time a Pwn2Own event doesn’t benefit from HPE sponsorship.
“To us, it’s still Pwn2Own,” Brian Gorenc, senior manager of vulnerability research at Trend Micro, told eWEEK. “We always hope each contest brings us something new we haven’t seen before, but if you’ve seen the contest, it should look very familiar.”
During the 2016 Pwn2Own browser event, which was held at the CanSecWest conference in Vancouver, ZDI awarded a total of $460,000 in prize money to researchers for publicly demonstrating new zero-day exploits in web browsers.
The mobile Pwn2Own event will be held Oct. 26-27 at the PacSec Security Conference in Tokyo, and the total available prize pool is set to top $500,000. For the 2016 mobile event, ZDI is asking researchers to target three specific mobile devices: the Apple iPhone 6x, the Google Nexus 6p and the Samsung Galaxy Note7.
Across all of the targeted devices, ZDI is tasking researchers with a number of challenges. The first is to obtain sensitive information from a device. ZDI is awarding $50,000 to those who exploit a device to get access to sensitive information on the iPhone or the Google Nexus. A researcher who is able to get sensitive information off a Galaxy will be awarded $35,000.
Another challenge at mobile Pwn2Own 2016 is to install a rogue application on a targeted device. A $125,000 prize will be awarded for the installation of a rogue app on the iPhone; on the Google Nexus, the reward is $100,000; and on the Samsung Galaxy, $60,000.
“Each phone will be running the latest operating system available at the time of the contest, and all available patches will also be applied,” Gorenc said. “This can lead to some late nights as ZDI researchers update phones in the days leading up to the contest, but we feel it’s best to have the latest and greatest targeted.”
Gorenc said all of the targeted devices will be in their default configuration. On iOS, that means Pwn2Own contestants must target Safari, as this is the default browser and most common, realistic scenario for users of that device. In the past, Pwn2Own contestants have demonstrated many WebKit browser rendering engine related vulnerabilities. WebKit is the core rendering engine behind Safari and has many components that are also used in Google’s Chrome.
“The threat landscape shifts so much from contest to contest that it’s hard to predict what component will be targeted,” he said. “WebKit will likely make an appearance, but we’re hoping to see some new techniques and research as well.”
For the installation of the rogue application, Gorenc said that ZDI has no requirements for the app. “We will leave it up to the contestant to express their creativity during the public demonstration,” he said.
iPhone Unlock
The biggest single prize at the mobile Pwn2Own 2016 event goes to the researcher who is able to successfully force an iPhone to unlock. The challenge of unlocking an iPhone has been a hot topic in recent months. The FBI reportedly paid as much as $1.3 million to bypass the iPhone lock screen. And Apple started its own bug bounty program, with a $200,000 prize, while security firm Exodus Intelligence will pay a top prize of $500,000 for an iOS zero-day flaw.
Gorenc believes offering $250,000 for an iPhone unlock exploit is a good size prize.
“We feel this amount is not a bad payday for what will clearly be a significant amount of research needed to accomplish this hack,” he said. “Along with the money, the researcher will get the recognition that comes with winning Pwn2Own.”
In the end, Gorenc said, it’s the marketplace that will let ZDI know if $250,000 is a fair price; he’s optimistic that someone will actually attempt to publicly force an iPhone to unlock.
“Finally, by reporting this through ZDI, the bugs will actually get fixed by the vendor,” Gorenc said. “That’s better than some of the alternatives.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.