“Be the first to compromise a selected target in one of the categories using a previously unknown vulnerability (one that has not been disclosed to the affected vendor),” explained ZDI in the announcement. “You’ve got 30 minutes to complete your attempt. When you’ve successfully demonstrated your exploit and ‘pwned’ the targeted device, you need to provide ZDI with a fully functioning exploit and a whitepaper detailing all of the vulnerabilities and techniques utilized in your attack.”
HP and its sponsors are offering more than $300,000 in cash and prizes to researchers who successfully compromise selected mobile targets. Contestants will be judged on their ability to uncover new vulnerabilities and develop cutting edge exploit techniques.
A successful attack against the device must require little or no user interaction and the contestant must demonstrate remote code execution by bypassing sandboxes (if applicable) and exfiltrating sensitive information, silently calling long-distance numbers or eavesdropping on conversations. To avoid interfering with licensed carrier networks, all RF attacks must be completed within the provided RF isolation enclosure. The vulnerabilities utilized in the attack must be unpublished zero-day exploits.
The vulnerabilities and exploit techniques discovered by the winning researchers will be disclosed to the affected vendors. “If the affected vendor is at the conference and happy to parlay, we can even arrange to hand over the vulnerability details onsite for the fastest possible remediation,” ZDI explained.
Contestants are allowed to select the target they wish to compromise during the pre-registration process, then the exact OS version, firmware and model numbers will be coordinated with the pre-registered contestants. The targets are all popular gadgets: the Nokia Lumia 1020 running Windows Phone; Microsoft Surface RT; Samsung Galaxy S4; Apple iPhone 5; Apple iPad Mini; Google Nexus 4; Google Nexus 7; Google Nexus 10; and the BlackBerry Z10.
The first contestant who successfully compromises his or her mobile target in a category takes home the prize, which will be a significant chunk of change: proving a vulnerability in the baseband of a device earns a whopping $100,000. The next largest prize is for Messaging Services, which will pay out $70,000 for cracking a handset or tablet via SMS, MMS or Commercial Mobile Alert System (CMAS) messaging.
Short Distance/Physical Access pays pretty well too: it delivers $50,000 for compromising a device over Bluetooth, Wi-Fi, USB or Near Field Communication (NFC).
And, the Mobile Web Browser and Mobile Application/Operating System categories will both earn the winner $40,000.
Google’s Android security team and BlackBerry are among those ponying up the cash. Google’s Chrome Security Team, in conjunction with the Chrome on Android team, is also sponsoring a top-up reward for the Mobile Web Browser category. For that, if a contestant successfully compromises Chrome on Android, either on Google Nexus 4 or Samsung Galaxy S4, the prize amount will be bumped by $10,000 to make it a total of $50,000. There may be additional winners in the Mobile Web Browser category if the contestant is specifically targeting Chrome on Android, either on the Google Nexus 4 or Samsung Galaxy S4.
The event, the sister happening to the annual Pwn2Own contest, will be collocated with the PacSec Applied Security Conference in Tokyo, Japan. The contest is open to all delegates, but contestants can use a proxy at the conference if they are unable to attend in person.