As part of the Pwn2Own contest run by Trend Micro’s Zero Day Initiative (ZDI) in Japan, some of the finest hackers from all over the world are trying to break into the most widely-used mobile phones on the planet this week. So as a part of the contest Keen Lab from China has successfully compromised both Apple’s iPhone and Google’s Nexus.
They were awarded $52,500 for hacking into Apple’s iPhone and $102,500 for Google’s Nexus. The iPhone 6S attack saw Tencent-owned Keen Lab chain two iOS vulnerabilities to steal pictures from the Apple device. They also managed to install a rogue application on the iPhone 6S, but the app wouldn’t survive a reboot thanks to a default configuration setting that prevented persistence. Despite that, ZDI bought the bugs used in the hack for $60,000.
As for the Nexus 6P, the Keen collective managed to install a malicious app on the Google device, repeating the attack three times. Again, Keen combined two different bugs, alongside other unspecified weaknesses in Android.
Even with last minute update of 10.1 which made us work overnight, we success finally @Cloudlldb @fuyubin1993 @marcograss @chenliang0817 pic.twitter.com/zUtSZswDbx
— KEENLAB (@keen_lab) October 26, 2016
ZDI chief Brian Gorenc’s statement on Keen’s research: “All of the exploits were triggered by browsing to a malicious website. From that perspective, it’s relatively simple to trick a user into this scenario. Crafting the exploit itself isn’t trivial and requires months of research and experimentation.”