This is not a drill: Hackers pop stock Nexus 6P in five minutes

Keen hackers at Mobile Pwn2Own

The Nexus 6P appears to have been hacked with attackers at the Mobile Pwn2Own contest installing malware without user interaction in less than five minutes.

The hack by China's Keen Team happened minutes ago at the Tokyo event and does not require users to do anything. It is as of the time of writing yet to be confirmed but contest organisers tell El Reg they are confident of its legitimacy.

Mobile Pwn2Own at the PacSec security conference in Japan pits hackers against the latest phones for a share of US$375,000 (£308,000, A$487,000) handed out by Trend Micro's Zero Day Initiative.

The Nexus 6P, Apple iPhone 6S, and Samsung Galaxy S7 will be targeted by hackers who have over previous months developed tailored and often highly-sophisticated chained exploits against the device. We're told the targets will be running on the latest, fully patched version of the operating system available on the selected device – Apple iOS or Google Android, basically.

Hackers of noted exploit crew Keen Team stand to win US$100,000 (£82,000, A$130,000) in prizes should the 6P hack be confirmed.

MWR Labs hackers Robert Miller and Georgi Geshev will within the next few hours also target the Nexus 6P in a bid to install a malicious application, and will score the US$100,000 prize even if Keen's exploit is confirmed.

Keen will also target the iPhone 6S attempting to install another rogue application on the stock and updated device for a prize of US$125,000 (£103,000, A$162,000)

The team will then return in a bid to rip photos from a locked iPhone 6S. If successful the crew will bag US$50,000 (£41,000, A$65,000). Each team under the contest rules has five minutes, over three attempts for a total of 15 minutes to pop devices.

Keen hacked the Nexus 6P on its first attempt and used the remaining slots to add flair and style to the exploits in a bid to claim the Master of Pwn award worth US$25,000 (£21,000, A$32,000).

Hacks can require users to browse to malicious content within the default browser or by viewing or receiving a malicious MMS/SMS messages. ®


Biting the hand that feeds IT © 1998–2017