Researchers hack Safari, iOS 14 to win $420,000 in China contest
Apple's software security has reportedly been defeated at the Tianfu Cup hacking contest in China, with thousands of dollars worth of prizes being handed out to participants for demonstrating vulnerabilities in Safari and iOS 14.
The winning team at the 2020 Tianfu Cup contest
The contest, which took place on Saturday and Sunday, saw teams attempting to successfully demonstrate exploits that attack a wide variety of hardware. For the 2020 competition, the Apple-specific targets for the teams were Safari running on a 13-inch MacBook Pro and iPhone 11 Pro running iOS 14.
Each device had a list of requirements to meet to qualify for prizes given out by Tianfu Cup's organizers. For Safari, which had security researchers using Safari to browse a remote URL and enable the control of the browser or the Mac, $40,000 was on offer for a successful remote code execution (RCE) attack, rising to $60,000 for an RCE with a sandbox escape.
For the iPhone and iOS 14, teams had similar requirements as for Safari, but with the addition of needing to "bypass the PAC mitigation." The RCE earned hackers $120,000 if successful, rising to $180,000 and additional prizes for a sandbox escape and $300,000 for a remote jailbreak.
According to the published results, one team managed a sandbox escape in Safari, while two sandbox escapes were performed in iOS 14, resulting in payouts totaling $420,000.
The details of the exploits were not released, but were provided to Apple for patching under a responsible disclosure policy. Once patched, or a sufficient period of time has passed, the details of the vulnerabilities are usually shared by the researchers who discovered them.
Now in its third year, the Tianfu Cup is largely modeled after Pwn2Own in structure, with many of the researchers previously taking part in that competition. A change in Chinese regulations effectively banned security researchers from taking part in international contests, over national security fears.
The winning team from the weekend was the Qihoo 360 Enterprise Security and Government Vulnerability Research Institute, earning $744,500 from its submissions. Second place went to Ant-Financial Light-year Security Lab with $258,000, while security researcher "Pang" was third with $99,500.
The winning team at the 2020 Tianfu Cup contest
The contest, which took place on Saturday and Sunday, saw teams attempting to successfully demonstrate exploits that attack a wide variety of hardware. For the 2020 competition, the Apple-specific targets for the teams were Safari running on a 13-inch MacBook Pro and iPhone 11 Pro running iOS 14.
Each device had a list of requirements to meet to qualify for prizes given out by Tianfu Cup's organizers. For Safari, which had security researchers using Safari to browse a remote URL and enable the control of the browser or the Mac, $40,000 was on offer for a successful remote code execution (RCE) attack, rising to $60,000 for an RCE with a sandbox escape.
For the iPhone and iOS 14, teams had similar requirements as for Safari, but with the addition of needing to "bypass the PAC mitigation." The RCE earned hackers $120,000 if successful, rising to $180,000 and additional prizes for a sandbox escape and $300,000 for a remote jailbreak.
According to the published results, one team managed a sandbox escape in Safari, while two sandbox escapes were performed in iOS 14, resulting in payouts totaling $420,000.
The details of the exploits were not released, but were provided to Apple for patching under a responsible disclosure policy. Once patched, or a sufficient period of time has passed, the details of the vulnerabilities are usually shared by the researchers who discovered them.
Now in its third year, the Tianfu Cup is largely modeled after Pwn2Own in structure, with many of the researchers previously taking part in that competition. A change in Chinese regulations effectively banned security researchers from taking part in international contests, over national security fears.
The winning team from the weekend was the Qihoo 360 Enterprise Security and Government Vulnerability Research Institute, earning $744,500 from its submissions. Second place went to Ant-Financial Light-year Security Lab with $258,000, while security researcher "Pang" was third with $99,500.
Comments
The participants successfully tested their exploits against the following software:
- iOS 14 running on an iPhone 11 Pro
- Samsung Galaxy S20
- Windows 10 v2004 (April 2020 edition)
- Ubuntu
- Chrome
- Safari
- Firefox
- Adobe PDF Reader
- Docker (Community Edition)
- VMWare EXSi (hypervisor)
- QEMU (emulator & virtualizer)
- TP-Link and ASUS router firmware
So in total 11 out of 16 targets were cracked . I'll let one of you figure out which 5 weren't successfully hacked.https://www.zdnet.com/article/windows-10-ios-chrome-and-many-others-fall-at-chinas-top-hacking-contest/
Not mentioning Windows or Android does indeed say a lot. It says that Appleinsider editorializes to focus on Apple. What it does not say is anything about security researchers and their targets. Contest like these always focus on a wide range of targets, including Windows and Android. For better perspective, you may need to widen the scope of your information sources beyond Appleinsider.