HP’s Zero Day Initiative (ZDI) announces the second annual Mobile Pwn2Own competition, to be held on November 13-14, 2013 at PacSec Applied Security Conference in Tokyo, Japan. ZDI, along with Mobile Pwn2Own sponsors Google’s Android Security Team and BlackBerry are looking forward to another groundbreaking competition.
Start going through your mobile device crashes!
Mobile Pwn2Own is an annual contest that rewards security researchers for highlighting security concerns on mobile platforms. The contest focuses on hardening the mobile attack surface through great research and responsible disclosure. It’s the sister contest to ZDI’s Pwn2Own contest, which is now in its seventh year and a regular feature at CanSecWest.
HP and its sponsors are offering over $300,000 (USD) in cash and prizes to researchers who successfully compromise selected mobile targets from particular categories. Contestants will be judged on their ability to uncover new vulnerabilities and develop cutting edge exploit techniques to compromise some of the most popular mobile devices.
This year’s Mobile Pwn2Own contest is offering the following prizes to the first contestant who successfully compromises their mobile target in the following categories:
- Short Distance/Physical Access ($50,000), either:
- Bluetooth, or
- Wi-Fi, or
- Universal Serial Bus (USB), or
- Near Field Communication (NFC)
- Mobile Web Browser ($40,000) **
- Mobile Application/Operating System ($40,000)
- Messaging Services ($70,000), either:
- Short Message Service (SMS), or
- Multimedia Messaging Service (MMS), or
- Commercial Mobile Alert System (CMAS)
- Baseband ($100,000)
Contestants are allowed to select the target they wish to compromise during the pre-registration process. The exact OS version, firmware and model numbers will be coordinated with the pre-registered contestants. The following targets are available for selection:
- Nokia Lumia 1020 running Windows Phone
- Microsoft Surface RT running Windows RT
- Samsung Galaxy S4 running Android
- Apple iPhone 5 running iOS
- Apple iPad Mini running iOS
- Google Nexus 4 running Android
- Google Nexus 7 running Android
- Google Nexus 10 running Android
- BlackBerry Z10 running BlackBerry 10
** Google’s Chrome Security Team, in conjunction with the Chrome on Android team, is sponsoring a top-up reward for the Mobile Web Browser category. If a contestant successfully compromises Chrome on Android, either on Google Nexus 4 or Samsung Galaxy S4, the prize amount will be bumped by $10k to make it a total of $50,000. There may be additional winners in the Mobile Web Browser category if the contestant is specifically targeting Chrome on Android, either on the Google Nexus 4 or Samsung Galaxy S4.
How do I enter?
The contest is open to all delegates at the PacSec 2013 conference (as long as you meet our rather inclusive eligibility requirements). You can even use a proxy at the conference if you are unable to attend in person.
Start by reviewing the contest rules, here. Next, if you don’t already have a free ZDI researcher account, you need to sign-up here. When you’re all signed up as a ZDI researcher, it’s simply a matter of contacting us to register for the contest.
Please direct all press inquiries for HP Security Research/ZDI to: Cassy Lalan <[email protected]>.
More importantly, how do I win?
Be the first to compromise a selected target in one of the categories using a previously unknown vulnerability (one that has not been disclosed to the affected vendor). You’ve got 30 minutes to complete your attempt. When you’ve successfully demonstrated your exploit and ‘pwned’ the targeted device, you need to provide ZDI with a fully functioning exploit and a whitepaper detailing all of the vulnerabilities and techniques utilized in your attack.
A successful attack against these devices must require little or no user interaction and the initial vulnerability used in the attack must be in the registered category. The contestant must demonstrate remote code execution by bypassing sandboxes (if applicable) and exfiltrating sensitive information, silently calling long-distance numbers, or eavesdropping on conversations. To avoid interfering with licensed carrier networks, all RF attacks must be completed within the provided RF isolation enclosure. The vulnerabilities utilized in the attack must be unpublished 0-days.
As always, ZDI reserves the right to determine what constitutes a successful attack.
The vulnerabilities and exploit techniques discovered by the winning researchers will be disclosed to the affected vendors. If the affected vendor is at the conference and happy to parlay, we can even arrange to hand over the vulnerability details onsite for the fastest possible remediation.
Want to know more?
If you missed it above, the full contest rules are here. We’ll also be tweeting regular updates and news on Mobile Pwn2Own up to and during the contest. You can follow us @thezdi on Twitter or search for the hash tag #pwn2own.