The PwnFest hacking competition, held in Seoul yesterday saw an interesting demonstration by a white-hat hacker group, called Qihoo 360. The hack successfully targeted Google’s shiny new Pixel handset, won the group a $120,000 cash prize and opened-up a lot of patching work for Google.
Both the regular and XL versions of the smartphone appear to be susceptible to the attack that utilizes what is know as a zero-day vulnerability. What that essentially means is a hole in the device’s security, that was present on the initial software the units shipped with. And to our knowledge, no subsequent patches have remedied the issue, yet.
As for the severity of the hack, we have to say it is pretty high up there. What the hackers demonstrated on stage is known as remote code execution. In this particular case, the attack appeared to be triggered by receiving a special message. Through it, the Pixel then proceeded to open the Google Play Store and Google Chrome. The latter displayed a message that read “Pwned by 360 Alpha Team”.
This was quite aptly put, since the video demonstrated clearly that on the attacker’s side, there was access to the phone’s full list of permissions, thanks to a background, rogue app install. That practically leaves all of your data, including multimedia, contacts and even communication channels open to whatever form of exploitation the attacker sees fit. Scary, indeed.
The good news here is that, as already mentioned, Qihoo 360 is a group of white-hat hackers, who make their money selling information for these kinds of vulnerabilities to the responsible parties, in this case Google. That, theoretically means that the online titan should have enough time to figure out how to patch the holes in peace, without details of the vulnerability falling into the wrong hands.
It is also curious to note that Qihoo 360 cached-in a total of $520,000 at the event, after demonstrating another vulnerability in Microsoft Edge on Windows 10 and one in Adobe Flash.