Hewlett-Packard is set to host its second annual Mobile Pwn2own competition this November at the PacSec Applied Security Conference in Tokyo. The competition will reward security researchers from a total prize pool of $300,000 (£188,000) for new, previously undisclosed vulnerabilities in mobile technologies.
The mobile event will be the second Pwn2own event in 2013, following the desktop browser-focused event that was held in March. It’s also the second time HP has hosted a mobile-focused Pwn2own event. At the 2012 mobile Pwn2own event, near-field communication (NFC) technology was a key target, and both Android and iOS were hacked.
Brian Gorenc, manager of the Zero Day Initiative (ZDI) at Hewlett-Packet Security Research, told eWEEK that his group has introduced several changes to Mobile Pwn2Own this year. In this year’s event, the attack surface has been widened to include Bluetooth, Wi-Fi, and USB-based attacks.
“HP’s Zero Day Initiative, with support from its sponsors, has also increased the amount of prize money available to $300,000, compared with $240,000 last year,” Gorenc said.
“All targets will be installed in the default configurations giving all contestants an even playing field,” Gorenc said.
In terms of awards, HP will pay $50,000 to the first researcher that is able to successful demonstrate a previously unknown attack against Bluetooth, Wi-Fi, USB or NFC use on a mobile device. An award of $70,000 will be paid to the researcher that can demonstrate an attack against the Short Message Service (SMS), Multimedia Messaging Service (MMS) or Commercial Mobile Alert System (CMAS).
Mobile browser exploits will yield a $40,000 bounty. Google is also participating in the event, kicking in an additional $10,000, on top of HP’s $40,000, to the researcher who is able to successfully exploit its Chrome browser running on a Google Nexus 4 or Samsung Galaxy S4.
“There will be one winner per category, with the exception of the Mobile Browser category, which may have additional winners, sponsored by Google, if the contestant is specifically targeting Chrome or Android on the Google Nexus 4 or Samsung Galaxy S 4,” Gorenc said.
The HP ZDI group buys security vulnerabilities from researchers all year-round. As such, he has some insight into the types of vulnerabilities that are on the market, but it’s difficult to forecast what will emerge at a Pwn2Own event.
“One of the great things about Pwn2Own is that you never know what type of innovative research and attack techniques will show up,” Gorenc said.
ZDI is particularly interested in seeing exploits in the messaging services category, he added.
“These types of attacks are particularly dangerous since you don’t need to be in range of the target or get them to click on a link – all you need is a phone number,” Gorenc said.
Do you know all about IT and the law? Take our quiz.
Originally published on eWeek.
Fourth quarter results beat Wall Street expectations, as overall sales rise 6 percent, but EU…
Hate speech non-profit that defeated Elon Musk's lawsuit, warns X's Community Notes is failing to…
Good luck. Russia demands Google pay a fine worth more than the world's total GDP,…
Google Cloud signs up Spotify, Paramount Global as early customers of its first ARM-based cloud…
Facebook parent Meta warns of 'significant acceleration' in expenditures on AI infrastructure as revenue, profits…
Microsoft says Azure cloud revenues up 33 percent for September quarter as capital expenditures surge…