Qihoo 360 security researchers compromised Google Pixel along with VMware Workstation and Adobe Flash at the PwnFest hacking event in POC2016, an international security and hacking conference in South Korea last week.
Organized by Korean hackers and security experts, the Power of Community (POC) was first held in 2006. In this conference, hackers and cybersecurity contributors discussed security topics in technical and creative sessions. Participants also demonstrated real hacking skills in PwnFest, a two-day bug exploiting and pwning competition under the POC.
Three teams from Qihoo 360 – Vulcan, Marvel and Alpha, took on the pwning challenge and ran hacks against Microsoft Edge, VMware Workstation, Google’s Pixel and Adobe Flash.
Google Pixel breached in less than 60 seconds
In less than a minute, Qihoo 360 security team breached Google Pixel, the brand new Android smartphone introduced by Google a few months ago.
In a proof-of-concept exploit demonstration, the Qihoo 360 team showed how they used a zero-day vulnerability to conduct remote code execution on the target Android system. This hack launched the Google Play store before opening Google Chrome, and showed a web page displaying “Pwned By 360 Alpha Team”.
Security experts indicated that how threat actors could receive contacts, photos, messages and other personal information once compromising a smartphone.
The exploit earned the Qihoo 360 Team $120,000, and details have been provided to Google to patch the vulnerability.
Adobe Flash, Microsoft Edge, and VMware all taken down
In addition to Google Pixel, Adobe Flash also fell. The Qihoo 360 team used a combination of a decade-old, and a use-after-free zero-day vulnerability to break Adobe Flash. The team only spent 4 seconds performing the hack and won a $120k prize.
Qihoo vulnerability researchers also popped VMware Workstation 12.5.1. This bug was exploited via system-level remote code execution without user interaction. VMware is rated as an almost perfect virtual system, for it has not been cracked for seven years. Qihoo 360 Vulcan team then popped Microsoft Edge and scored $120k for this bug exploiting.
All the vulnerability details have been reported to respected companies to generate security patches to prevent against black-hat hackers for malicious purposes.