How do these competitions declare a winner? Snippets like "it only took 4 seconds" suggest they use the total exploit running time as the only criteria?
they go into a randomized lottery which decides who gets to run their exploit first. They then have a set time to exploit the device (commonly 2 minutes), and if they can't do it the next team in gets to go.
Generally once a target has been compromised, no other teams are allowed to use the same vulnerabilities. this prevents a team from sharing an exploit/vuln to others who run it again. The downside is that if you've been working on an exploit chain for 6 months but a team runs a similar bug ahead of you, your work is worthless.
So they spend weeks developing the exploits and when they present it the headline is that it took 4 or 60 seconds? They even used the phrase "breached Adobe Flash with a flick of the finger" as if anyone could hack it with a finger gesture.
Yeah, it's pretty disingenuous reporting / [intentional] misunderstanding to sensationalize headlines. I'm sure many dozens of hours of work went into each of these, more likely hundreds. It only impresses people with no familiarity with this type of thing.
No it's not. The timings represent a good proxy for how easy it is to pull off the (weaponised) exploit in the wild.
For example Flash, even when sandboxed, continues to be an extremely easy and lucrative attack vector (relatively speaking). Four seconds puts the exploit in drive-by territory.
A sixty second web exploit is not so useful for "cyber" criminals. But if you can "compromise all aspects of the phone including contacts, photos, messages, and phone calls" in 60 seconds, this is probably worth it.
True that the headline is grabby, but if you are trying to pwn someone's phone, the speed of execution is important, right? "Hi, can I use your phone to call my mum? My phone's battery has died. I'll be back in 45 minutes..."
It looks like these exploits require either shell access or installing an app that contains the exploit code.
Apart from the Flash vulnerability, did any of the exploits use Chrome to gain all permissions on the Pixel? That would be scary, because the user would just have to be served Javascript containing malicious code or visit an affected website.
Why isn't Linux or the BSDs usually included in these pawn competitions?
Given its use across the industry, and being written in C, GNU/Linux has become the target they used to joke about Windows since its existence.
For the BSDs, I imagine only OpenBSD would be an hard nut to crack given their focus on security. Then again, it isn't an OS that has much desktop visibility like the systems that are part of this competition.
Yeah, it makes no sense to me for Google to throw away their Nexus brand and all the good will they built up behind it. If the Pixel (phone) was really made by Google, it might make a bit of sense to keep the Pixel branding in the sense that it's manufactured by Google vs Nexus where it's not. But the pixel phone is made by HTC, just like the Nexus phones. To add to the confusion, they already had the Chromebook Pixel (small laptop), the Pixel C (tablet), and now the Google Pixel (phone). I half expect their next device to be the Pixel Potato, given their numbering sequence.
Nexus kinda ran out of numbers, since they already used 7 for the tablet.
Google experimented for a while with weird model numbers like 5X and 6P, but seems to have decided against continuing it. It's the version wars all over again. Who wants to be stuck at 5 and 6 when Apple is at 7, Samsung will soon return with an 8, and Microsoft already played the "we'll skip ahead to 10" card?
Since Google likes to release new phones every time there's a new major version of Android, they might as well match the phone model number with the Android version.
Gah, I dislike that. I even more dislike Apple's "late 2012" stuff. Please give me a specific name that refers to a specific hardware design. Things can get so confusing otherwise, especially when trying to buy something used.
Yes, I know that there are specific model numbers... in tiny print... but if people don't know them or use them it is no help.
As great it is that these exploits are being discovered by the right people, I always cringe at how douchey these competitions are and how journalists use it as an opportunity to undermine companies they don't like for whatever reason.
firefox isn't included in these competitions; it was a while back but has been removed.
not 100% sure why, but I figure Mozilla don't pay out significant bounties and compromise of the browser is relatively easy compared to other targets given there's no real sandbox.
Yes if an user program like flash results in pwning the device, security model is broken. Ideally when a user level program is compromised it should not be able to impact OS in any condition if security architecture was adhered to as it was envisioned. But every single OS out there have chosen the easyway out.
On hardware level CPU rings exist to protect kernel from rogue programs and each other but in reality all that protection is either completely or partially circumvented.
I read a paper on this a year back. I will try to find the link and post it here.
Okay, apologies, I thought you were talking about the Pixel. After watching the video, it's unclear whether or not the exploit was in a user mode application or one with system permissions.
breathless exclamations of relative ease of exploit execution is just subjective editorial flair, for those keeping track of the well-intended neophyte observations.
The entire thing comes off subjective. In modern journalism courses don't they preach about avoiding that pitfall?
Unless everyone in tech writing wants to be Hunter Thompson by breaking all the rules.
I think it's more likely that many authors of on-line publications don't have journalism degrees or haven't taken courses. The web has made it easier for anyone to publish, which is great. People have been able to hone their writing skills and get feedback (through eyeballs and clicks) on how to increase their audience. However, that incentive alone doesn't necessarily align with quality.
As professional journalism has moved from print to on-line, they've been struggling to figure out how to sustain their businesses. The on-line incentives for eyeballs/clicks is now strong for them as well, and they've understandably hired people who have proven to attract online readers. Early on it was clearer to identify the "blog" section of an online publication, but that's become increasingly difficult.
Stray thought: Is there a resource out there to view the credibility of stories by byline?
40 comments
[ 2.8 ms ] story [ 93.1 ms ] threadGenerally once a target has been compromised, no other teams are allowed to use the same vulnerabilities. this prevents a team from sharing an exploit/vuln to others who run it again. The downside is that if you've been working on an exploit chain for 6 months but a team runs a similar bug ahead of you, your work is worthless.
For example Flash, even when sandboxed, continues to be an extremely easy and lucrative attack vector (relatively speaking). Four seconds puts the exploit in drive-by territory.
A sixty second web exploit is not so useful for "cyber" criminals. But if you can "compromise all aspects of the phone including contacts, photos, messages, and phone calls" in 60 seconds, this is probably worth it.
Apart from the Flash vulnerability, did any of the exploits use Chrome to gain all permissions on the Pixel? That would be scary, because the user would just have to be served Javascript containing malicious code or visit an affected website.
Why isn't Linux or the BSDs usually included in these pawn competitions?
I think that there are not many companies willing to pay to find vulnerabilities in Linux and BSD.
http://arstechnica.com/security/2016/09/linux-kernel-securit...
Given its use across the industry, and being written in C, GNU/Linux has become the target they used to joke about Windows since its existence.
For the BSDs, I imagine only OpenBSD would be an hard nut to crack given their focus on security. Then again, it isn't an OS that has much desktop visibility like the systems that are part of this competition.
Google experimented for a while with weird model numbers like 5X and 6P, but seems to have decided against continuing it. It's the version wars all over again. Who wants to be stuck at 5 and 6 when Apple is at 7, Samsung will soon return with an 8, and Microsoft already played the "we'll skip ahead to 10" card?
Yes, I know that there are specific model numbers... in tiny print... but if people don't know them or use them it is no help.
All the other ChromeOS models from Google are no longer on sale.
A phone is an extension of you. Security is paramount.
not 100% sure why, but I figure Mozilla don't pay out significant bounties and compromise of the browser is relatively easy compared to other targets given there's no real sandbox.
A complete redesign is required but it won't happen unless it causes major catastrophy and losses.
On hardware level CPU rings exist to protect kernel from rogue programs and each other but in reality all that protection is either completely or partially circumvented.
I read a paper on this a year back. I will try to find the link and post it here.
Copying Hunter Thompson , initiating "gonzo" style, has been the rage for quite a while -- it's more fun than being honest and careful
As professional journalism has moved from print to on-line, they've been struggling to figure out how to sustain their businesses. The on-line incentives for eyeballs/clicks is now strong for them as well, and they've understandably hired people who have proven to attract online readers. Early on it was clearer to identify the "blog" section of an online publication, but that's become increasingly difficult.
Stray thought: Is there a resource out there to view the credibility of stories by byline?