igor - Fotolia

Researchers hack iOS 11 at Mobile Pwn2Own 2017

Security researchers competing at Mobile Pwn2Own 2017 used multiple vulnerabilities to hack iOS 11 in order to execute code and win prizes.

Security researchers competing at Mobile Pwn2Own 2017 were able to hack various smartphones, including Apple's brand new iOS 11.1 software.

Apple released iOS 11.1 on Halloween and the operating system was hacked multiple times at Zero Day Initiative's (ZDI) Mobile Pwn2Own on Nov. 1 and 2. Tencent Keen Security Lab did the most damage at the competition with two successful hacks of iOS 11 running on an iPhone 7.

On Day One of Mobile Pwn2Own, the Keen Lab team was able to hack iOS 11 to successfully load a rogue application and have it persist through a reboot with a Wi-Fi exploit that used a total of four different vulnerabilities to execute. It is unknown what bugs were used, but Apple had previously confirmed the recently disclosed KRACK Wi-Fi flaw was patched in iOS 11.1, so this would have been a different Wi-Fi issue.

However, one of the bugs used by Keen Lab on Day One was also used by Qihoo 360 Security, of China, in a Wi-Fi hack on iOS 11.1 on Day Two. Dustin Childs, in charge of ZDI communications at Trend Micro, said this was a surprising event.

"After a successful demonstration, things got a bit murky in the disclosure room. 360 Security used three separate bugs to exploit WiFi on the iPhone, but one of the bugs was submitted in a previous attempt in the contest by a different competitor," Childs wrote in a blog post. "While the intrigue of a bug collision is certainly interesting, let's not overlook the fact that 360 Security demonstrated an exploit that exfiltrated data from an iPhone just by connecting it to a WiFi network."

On Day One, Keen Lab was also able to hack iOS 11 by exploiting a Safari browser bug and a system service flaw in order to get its rogue application to persist through a reboot. For its efforts at Mobile Pwn2Own, Keen Lab earned a total of $155,000.

Richard Zhu, a security researcher also known as fluorescence, successfully exploited a Safari browser flaw and another bug to escape the iOS sandbox and execute code, earning $25,000.

Mobile Pwn2Own 2017 roundup

Itzhak "Zuk" Avraham, founder of Zimperium Inc., said on Twitter it's important for users to realize even new and updated phones are at risk.

"If mobile pwn2own this year tells us one thing: phones are totally insecure. Not even speaking about old/outdated phones. This is the golden age for offensive security companies. If you care about your data, prepare accordingly," Avraham wrote on Twitter. "If multiple groups were able to hack so many different models remotely, including multiple baseband submissions, we, as users, are in trouble. Unfortunately, this is totally aligned with what I'm personally seeing in the wild."

In total, Day One of Mobile Pwn2Own 2017 had five successful hack attempts across various devices and two failed attempts, while Day Two had six more attempts, which were all successful.

ZDI said Mobile Pwn2Own 2017 was its largest mobile contest ever with a total of 32 unique bugs submitted. The 11 successful attacks came against the Samsung Galaxy S8, Huawei Mate 9 Pro and Apple iPhone 7.

Lukas Stefanko, malware researcher at ESET, noted one major smartphone was not hacked during the competition.

Next Steps

Learn how iOS 11 protects against law enforcement searches.

Find out how to protect yourself from a KRACK attack.

Should the Vulnerabilities Equities Process become law?

Dig Deeper on Risk management

Enterprise Desktop
Cloud Computing