A group of Chinese hackers known as Tencent Keen Security Lab Team (or Keen Team for short) have scored themselves $215,000 by coming up with three successful exploits for the Nexus 6P and iPhone 6s. The hacks were performed as part of Trend Micro’s 2016 MobilePwn2Own event, where the team scooped up more than half the prize money on offer for successful hacks of the Nexus 6P, Galaxy S7 and iPhone 6s.
The Keen Team destroyed a fully patched and updated Nexus 6P on their first attempt in just five minutes. The team combined two pre-existing Android exploits and then “leveraged other weaknesses in the OS”, managing to install a malicious app without requiring any user interaction. This effort alone scored them over $100,000.
Next up, the hackers tackled the iPhone 6s and also managed to install a rogue app, but it didn’t survive a reboot, making it less valuable both to a potential bad actor as well as to the Keen Team’s prize money. The team was able to get the iPhone 6s to give up its store of photos though, netting the team more money overall for iPhone 6s exploits than for the Nexus 6P. It’s not clear if anyone managed to hack the Galaxy S7.
All bugs and vulnerabilities have been disclosed to Google and Apple as part of Trend Micro’s standard disclosure process. While the event was set up to highlight the need for services like those offered by Trend Micro, the company also had some sage words for manufacturers about security in general:
As entertaining as the Mobile Pwn2Own competition may be, it exposes the seriousness of understanding the current threats and weaknesses. This year’s competition succeeds in that regard. While not every entry was declared a full winner, all of them used flaws in phones that should be addressed by the vendor.
Did you think a Nexus 6P could be hacked in five minutes? What do you do to protect your data?