Mobile Pwn2Own 2017 – Day Two Schedule and Results

November 01, 2017 | Dustin Childs

Welcome back to the 2017 edition of Mobile Pwn2Own. Yesterday saw some great research on display, and today promises just the same. We awarded over $350,000 yesterday for 11 bugs in the various handsets, including the first ever baseband exploit submitted to the ZDI program. If you haven’t checked out the wrap video for Day One, it’s certainly worth your time. Today is shaping up to be just as exciting, with competitors targeting multiple browsers and a second baseband attempt.  

The full schedule for Day Two is below (all times JTZ [UTC+9:00]). We will update this schedule with results as they become available.

10:00 – MWR Labs (@MWRLabs) targeting Google Chrome on the Huawei Mate9 Pro

SUCCESS: The team used 5 logic bugs in Huawei applications to escape the browser sandbox and exfiltrate data. This earned them $25,000 and 10 Master of Pwn points.

11:30 – 360 Security (@mj0011sec) targeting WiFi on the Apple iPhone 7

PARTIAL: Although the exploit succeeded, one of the three bugs demonstrated was previously known. They still managed to get code execution through WiFi, earning them $20,000 and 6 Master of Pwn points. The duplicate bug turned out to be one previously submitted by a different competitor in the contest.

13:00 – MWR Labs (@MWRLabs) targeting the Samsung Internet Browser on the Samsung Galaxy S8

SUCCESS: The team used a whopping 11 bugs (plus a couple of “features”) across six different applications execute code and leak sensitive data. The multitude of bugs also allowed them to persist after a reboot, earning them a total of $25,000 and 11 Master of Pwn points.

14:00 – 360 Security (@mj0011sec) targeting the Safari web browser on the Apple iPhone 7

SUCCESS: 360 Security uses 2 bugs, one in the browser and one in a system service, to exploit Safari. They earn $25,000 as a late winner in the Browser category and 10 Master of Pwn points.

16:30 – Team MBSD targeting the Samsung Internet Browser on the Samsung Galaxy S8
This entry was withdrawn from the competition.

17:00 – acez targeting the baseband processor on the Samsung Galaxy S8

SUCCESS: Acez used a stack buffer overflow resulting in code execution. Put simply, he wrote persistent data on to the Samsung Galaxy S8. This earned him $50,000 as the second Baseband winner and 20 points towards Master of Pwn.

Again, a successful demonstration is just the first step. Once we verify the exploit is unique and unknown, we immediately disclose the bug(s) to the vendor. Representatives from Apple, Google, and Huawei can then ask for details on the exploit directly from the researchers. Since it takes a fully functional exploit chain to win any attempt, we provide the vendor 90 days to correct the issues. At the end of the disclosure deadline, if a vendor is unresponsive or unable to provide a reasonable statement as to why the vulnerability is not fixed, the ZDI will publish a limited advisory including mitigation in an effort to enable the defensive community to protect users.

We’ll update this blog with results as they become available. Follow us on Twitter for the latest information, and check back for our end-of-day blog and video recapping all of the results and awards.