iPhone 7 wi-fi, Safari 'zero-day' exploits leveraged in pwn2own hacker's contest

Posted:
in iPhone
Apple's iPhone 7 security was bypassed by a trio of hackers at the Mobile Pwn2Own event, with a wi-fi exploit, a system service bug, and two Safari bugs used to escalate privileges and run arbitrary code on the device.




The Tencent Keen Security Lab was the successful party in two of the three events at the conference, with Richard Zhu using two bugs in Safari on the iPhone 7 to escape the sandbox. At present, the attack techniques have not been verified by the Pwn2Own orchestrators.

Contest rules note that all of the devices subject to penetration will be running the latest version of their respective operating systems with all available patches installed. It is not clear at this time what specific version of iOS was installed on the iPhone 7. Tuesday's release of iOS 11.1 patched out the KRACK vulnerability, which in theory could have been used for the Wi-Fi exploit.

Once the research presented is confirmed to be a true 0-day exploit, Pwn2Own immediately discloses the vulnerability to the vendor, who is given 90 days to release a fix before the organization publishes a "limited advisory" about the method. Representatives from Apple, Google, and Huawei were all available at the conference and able to ask questions of the researchers if needed.

A bug in the Samsung Internet Browser was demonstrated at the event. Keen Security Lab also used a stack overflow attack on the Huawei Mate9 Pro to bypass code execution limitations.

Pwn2Own is a computer hacking contest that had its inaugural event in 2007, and has been held annually since. The first contest was generated in response to frustration with Apple's lack of response to the "Month of Apple Bugs" and the "Month of Kernel Bugs," events, as well as Apple's commercials at the time that lampooned Windows security.

Winners of the contest receive the device that they exploited, a cash prize, and a "Masters" jacket celebrating the year of their win.

The latest Mobile Pwn2Own was held during the PacSec conference, at Aoyama St. Grace Cathedral in Tokyo, Japan.

Comments

  • Reply 1 of 7
    lkrupplkrupp Posts: 5,805member
    If anything this contest shows how complicated and tough software development is. Personal computers have been around for over forty years now and the software running on them is still full of holes. To me it also points out how ridiculous people are when they say things like “Don’t they test this stuff before releasing it?” Well, yes, THEY do test but it’s never good enough. Holes always remain. Take a look at the macOS 10.13.1 security document release. There are dozens of patches for security issues that we’ve never heard of nor will ever encounter. Pwn2Own gets a lot of press every year but the unsung heroes are the security researchers who sit at their desks every day slogging through code looking for problems, developing and testing exploits, dutifully reporting what they find to Apple, Microsoft, Google, et al.
    chiaminicoffeejcs2305bsimpsenracerhomiecgWerksmuthuk_vanalingamairnerdMacPromanfred zorn
  • Reply 2 of 7
    krawallkrawall Posts: 147member
    lkrupp said: Pwn2Own gets a lot of press every year but the unsung heroes are the security researchers who sit at their desks every day slogging through code looking for problems, developing and testing exploits, dutifully reporting what they find to Apple, Microsoft, Google, et al.
    I do agree.

    Yet, still, you have some folks that have to make a living and will only do so by monetary imbursement so I think this is still a great way to patch holes and give out some money to the ones that find those holes. Running arbitrary code, I honestly did not think this was possible on this time and date of iOS development ...
  • Reply 3 of 7
    cgWerkscgWerks Posts: 950member
    krawall said:
    lkrupp said: Pwn2Own gets a lot of press every year but the unsung heroes are the security researchers who sit at their desks every day slogging through code looking for problems, developing and testing exploits, dutifully reporting what they find to Apple, Microsoft, Google, et al.
    I do agree.

    Yet, still, you have some folks that have to make a living and will only do so by monetary imbursement so I think this is still a great way to patch holes and give out some money to the ones that find those holes. Running arbitrary code, I honestly did not think this was possible on this time and date of iOS development ...
    Yes, any who have the integrity to go through any of these channels vs probably making a ton more money selling it to criminals/3-letter-orgs.
  • Reply 4 of 7
    I love hearing about things like this.  No corporate group-think going on here, just people with a motivation to ferret out flaws and then reporting the flaws to the vendor so they can fix them.  It's like free QA for all of us.  
  • Reply 5 of 7
    I would personally prefer Apple spend more time on security and less time on "features" like emoji, animoji, fireworks on Messaging, etc.
  • Reply 6 of 7
    thewbthewb Posts: 65member
    I would personally prefer Apple spend more time on security and less time on "features" like emoji, animoji, fireworks on Messaging, etc.
    I think it would be a mistake to reassign people who work on things like emoji to work on security matters instead. The idea that software developers are interchangeable and can work on any software task tends to be the reason there are security flaws in the first place.
    colinng
  • Reply 7 of 7
    cgWerkscgWerks Posts: 950member
    thewb said:
    I would personally prefer Apple spend more time on security and less time on "features" like emoji, animoji, fireworks on Messaging, etc.
    I think it would be a mistake to reassign people who work on things like emoji to work on security matters instead. The idea that software developers are interchangeable and can work on any software task tends to be the reason there are security flaws in the first place.
    True, but instead of hiring 2 or 3 people to work on the next great incarnation of the emoji, they could hire one crack security expert. It's more about priorities, or at least what seems like priorities. (I suppose it's possible they can't find any more security experts - or Mac updaters - to employ, whereas emoji creators abound.)
Sign In or Register to comment.