40 comments

[ 2.8 ms ] story [ 93.1 ms ] thread
How do these competitions declare a winner? Snippets like "it only took 4 seconds" suggest they use the total exploit running time as the only criteria?
I don't think time has anything to do with the competition, it just made a catchier title.
they go into a randomized lottery which decides who gets to run their exploit first. They then have a set time to exploit the device (commonly 2 minutes), and if they can't do it the next team in gets to go.

Generally once a target has been compromised, no other teams are allowed to use the same vulnerabilities. this prevents a team from sharing an exploit/vuln to others who run it again. The downside is that if you've been working on an exploit chain for 6 months but a team runs a similar bug ahead of you, your work is worthless.

$520,000 in a day. I wonder how many man-hours were spent prior to the competition?
Still probably would argue that it's worth it.
They work for a chinese anti virus company Qihoo 360. I wonder who got the prize money, the hackers or the company.
So they spend weeks developing the exploits and when they present it the headline is that it took 4 or 60 seconds? They even used the phrase "breached Adobe Flash with a flick of the finger" as if anyone could hack it with a finger gesture.
Yeah, it's pretty disingenuous reporting / [intentional] misunderstanding to sensationalize headlines. I'm sure many dozens of hours of work went into each of these, more likely hundreds. It only impresses people with no familiarity with this type of thing.
No it's not. The timings represent a good proxy for how easy it is to pull off the (weaponised) exploit in the wild.

For example Flash, even when sandboxed, continues to be an extremely easy and lucrative attack vector (relatively speaking). Four seconds puts the exploit in drive-by territory.

A sixty second web exploit is not so useful for "cyber" criminals. But if you can "compromise all aspects of the phone including contacts, photos, messages, and phone calls" in 60 seconds, this is probably worth it.

True that the headline is grabby, but if you are trying to pwn someone's phone, the speed of execution is important, right? "Hi, can I use your phone to call my mum? My phone's battery has died. I'll be back in 45 minutes..."
It looks like these exploits require either shell access or installing an app that contains the exploit code.

Apart from the Flash vulnerability, did any of the exploits use Chrome to gain all permissions on the Pixel? That would be scary, because the user would just have to be served Javascript containing malicious code or visit an affected website.

Why isn't Linux or the BSDs usually included in these pawn competitions?

(comment deleted)
> Why isn't Linux or the BSDs usually included in these pawn competitions?

I think that there are not many companies willing to pay to find vulnerabilities in Linux and BSD.

At least for GNU/Linux, because it would be too easy given the current state of affairs as discussed this year's Linux Security Summit.

http://arstechnica.com/security/2016/09/linux-kernel-securit...

Given its use across the industry, and being written in C, GNU/Linux has become the target they used to joke about Windows since its existence.

For the BSDs, I imagine only OpenBSD would be an hard nut to crack given their focus on security. Then again, it isn't an OS that has much desktop visibility like the systems that are part of this competition.

(comment deleted)
...this had me concerned for a minute, then I read the article and realised that 'Pixel' now means a phone and not a Chromebook. Panic over!
Yeah, it makes no sense to me for Google to throw away their Nexus brand and all the good will they built up behind it. If the Pixel (phone) was really made by Google, it might make a bit of sense to keep the Pixel branding in the sense that it's manufactured by Google vs Nexus where it's not. But the pixel phone is made by HTC, just like the Nexus phones. To add to the confusion, they already had the Chromebook Pixel (small laptop), the Pixel C (tablet), and now the Google Pixel (phone). I half expect their next device to be the Pixel Potato, given their numbering sequence.
Nexus kinda ran out of numbers, since they already used 7 for the tablet.

Google experimented for a while with weird model numbers like 5X and 6P, but seems to have decided against continuing it. It's the version wars all over again. Who wants to be stuck at 5 and 6 when Apple is at 7, Samsung will soon return with an 8, and Microsoft already played the "we'll skip ahead to 10" card?

Where is SemVer for hardware models?
SemVar is alive and well for hardware, every revision is incompatible with the previous.
Since Google likes to release new phones every time there's a new major version of Android, they might as well match the phone model number with the Android version.
i was hoping they'd continue with the 'nexus 7 (2013)' and 'nexus 7 (2014)' trend. it was concise and easy to remember.
Gah, I dislike that. I even more dislike Apple's "late 2012" stuff. Please give me a specific name that refers to a specific hardware design. Things can get so confusing otherwise, especially when trying to buy something used.

Yes, I know that there are specific model numbers... in tiny print... but if people don't know them or use them it is no help.

I wouldn't be so sure there's no code shared between different versions of chrome.
Which also happens to run the same Android 7.1.

All the other ChromeOS models from Google are no longer on sale.

As great it is that these exploits are being discovered by the right people, I always cringe at how douchey these competitions are and how journalists use it as an opportunity to undermine companies they don't like for whatever reason.
On the other hand if no one called out on the security holes of flash, and your data was sniffed by the wrong people.

A phone is an extension of you. Security is paramount.

they do provide an interesting and useful datapoint about the effort required to attack a given target.
MacOS Sierra was hacked in 20 seconds and Flash in 4 seconds.
Any Chrome or Firefox breaches?
firefox isn't included in these competitions; it was a while back but has been removed.

not 100% sure why, but I figure Mozilla don't pay out significant bounties and compromise of the browser is relatively easy compared to other targets given there's no real sandbox.

Kudos to team but these events demonstrate how broken the security is and why we should be scared.

A complete redesign is required but it won't happen unless it causes major catastrophy and losses.

Is there a source for why a complete redesign would be needed?
Yes if an user program like flash results in pwning the device, security model is broken. Ideally when a user level program is compromised it should not be able to impact OS in any condition if security architecture was adhered to as it was envisioned. But every single OS out there have chosen the easyway out.

On hardware level CPU rings exist to protect kernel from rogue programs and each other but in reality all that protection is either completely or partially circumvented.

I read a paper on this a year back. I will try to find the link and post it here.

Okay, apologies, I thought you were talking about the Pixel. After watching the video, it's unclear whether or not the exploit was in a user mode application or one with system permissions.
Apple Safari, Adobe Flash, Microsoft Edge they all are user mode applications. If they are not then problem is impossible to solve anyways.
breathless exclamations of relative ease of exploit execution is just subjective editorial flair, for those keeping track of the well-intended neophyte observations. The entire thing comes off subjective. In modern journalism courses don't they preach about avoiding that pitfall? Unless everyone in tech writing wants to be Hunter Thompson by breaking all the rules.
Modern journal doesn't involve "courses".

Copying Hunter Thompson , initiating "gonzo" style, has been the rage for quite a while -- it's more fun than being honest and careful

I think it's more likely that many authors of on-line publications don't have journalism degrees or haven't taken courses. The web has made it easier for anyone to publish, which is great. People have been able to hone their writing skills and get feedback (through eyeballs and clicks) on how to increase their audience. However, that incentive alone doesn't necessarily align with quality.

As professional journalism has moved from print to on-line, they've been struggling to figure out how to sustain their businesses. The on-line incentives for eyeballs/clicks is now strong for them as well, and they've understandably hired people who have proven to attract online readers. Early on it was clearer to identify the "blog" section of an online publication, but that's become increasingly difficult.

Stray thought: Is there a resource out there to view the credibility of stories by byline?