TippingPoint Digital Vaccine Laboratories
DID YOU KNOW... TippingPoint customers were protected against 0-day exploitation of MS07-017 two years prior to the exploit being discovered in the wild.

Mobile Pwn2Own 2012

Update 1

  • Based on feedback from our independent researchers, we are adding a category to allow for attacks against the base operating system using standard functionality. The attack must require little or no user interaction to exploit the device. This includes using NFC to automatically transfer and open files.
  • Bump in Web Browser and Operating System category prize money from $20,000 to $30,000
  • Added Phone Details
  • Added FAQ


We are introducing a new spin on the Pwn2Own competition this year by holding the first Pwn2Own dedicated to the mobile attack surface.  The primary goal is to demonstrate the current security posture of the most prevalent mobile technologies in use today; including attacks on mobile web browsers, mobile operating system, Near Field Communication (NFC), Short Message Service (SMS), and the cellular baseband.  Along with our sponsors Research in Motion (RIM) and AT&T, HP DVLabs looks forward to highlighting the researchers working to help improve mobile security.

Contest Dates

The contest will take place the 19th and 20th of September, 2012 in Amsterdam, Netherlands during the EUSecWest conference. This blog post will be updated as the contest plays out, and for real-time updates you can follow either @thezdi on Twitter or search for the hash tag #pwn2own.

Please direct all press inquiries for HP TippingPoint/ZDI to: Annie Tsang <hpesp@bm.com>.


We will be dusting off our radio frequency (RF) enclosure introduced in Pwn2Own 2011 so that competitors will be able to perform RF attacks without violating local laws.  This RF enclosure has a built-in video recording feature which allows us to publish the feed at the conclusion of the contest.

Zero Day Initiative (ZDI), along with our sponsors RIM and AT&T, will offer five prizes, one each to the first researcher to successfully compromise a device through one of the following vectors:

  • Mobile Web Browser
  • Mobile Operating System
  • Near Field Communication (NFC)
  • Short Message Service (SMS)
  • Cellular Baseband

Each contestant will be allowed to select the device they wish to compromise during the pre-registration process.  The only requirement is that it be a current device and running the latest operating system.  The exact OS version, firmware and model numbers will be coordinated with the pre-registered researcher. 

For researchers registering on-site, we will have the devices listed in the Devices section available if the target/vector has not already been compromised.   We will review the devices prior to the competition and ensure they are in a clean state.

A successful attack against these devices must require little or no user interaction and must compromise or exfiltrate useful data from the phone. Any attack that can incur cost upon the owner of the device (such as silently calling long-distance numbers, eavesdropping on conversations, and so forth) is within scope. To avoid interfering with licensed carrier networks, all RF attacks must be completed within the provided RF isolation enclosure.  The vulnerabilities utilized in the attack must be an 0-day.  ZDI reserves the right to determine what constitutes a successful attack.  As always, vulnerabilities revealed by contest winners will be disclosed to affected vendors through HP’s Zero Day Initiative.


A successful compromise of any of these targets will win the contestant the cash prize, the device itself, and 20,000 ZDI reward points* which immediately qualifies them for Silver standing.

*Benefits of ZDI Silver standing include a one-time $5,000 USD cash payment, 15% monetary bonus on all ZDI submissions over the next calendar year, 25% reward point bonus on all ZDI submissions over the next calendar year and paid travel and registration to attend the 2013 DEFCON Conference in Las Vegas.

Along with the prize money, each winner will receive a BlackBerry PlayBook courtesy of RIM. Prize money for the first researcher to compromise a device for each of the vectors is listed below. 

  • Mobile Web Browser
    • $30,000 USD
  • Mobile Operating System
    • $30,000 USD
  • NFC
    • $40,000 USD
  • SMS
    • $40,000 USD
  • Cellular Baseband
    • $100,000 USD


  • Windows Phone 7
    • Nokia Lumia 900
      • Windows Phone 7.5
      • OS version: 7.10.8779.8
      • Firmware revision number: 2175.2301.8779.12223
      • Hardware revision number: 112.1914.2.0
      • Radio software version:
      • Radio hardware version: 8055
      • Bootloader version:
      • Chip SOC version:
    • HTC Titan II
      • HTC PI861000
      • Windows Phone 7.5
      • OS version: 7.10.8112.7
      • Firmware revision number: 2180.0400.11801.502
      • Hardware revision number: 0004
      • Radio software version:
      • Radio hardware version: A.26.0.D4
      • Bootloader version: 1.18.2180.0(139346)
      • Chip SOC version:
  • Android
    • Samsung Galaxy Nexus
      • GT-I9250
      • Android version: 4.1.1
      • Baseband version: I9250XXLF1
      • Kernel version: 3.0.31-g5fb96c9 android-build@vpbs1 ) #1 SMP PREEMPT Thu Jun 28 11:02:39 PDT 2012
      • Build number: JRO03C
    • Samsung Galaxy SIII
      • SGH-T999
      • Android version: 4.0.4
      • Baseband version: T999UVLH2
      • Kernel version: 3.0.8-925100-user se.infra@SEP-86 #1 SMP PREEMPT Thu Aug 2 19:25:08: KST 2012
      • Build number: IMM76D.T999UVALH2
    • Sony Xperia P
      • LT22i
      • Android version: 4.0.4
      • Baseband version: u8500-49020804-P2H_EC01
      • Kernel version: 3.0.8+ BuildUser@BuildHost #1 SMP PREEMPT Fri Jul 13 14:59:29 2012
      • Build number: 6.1.B.0.544
  • BlackBerry
    • BlackBerry Bold 9900
      • 7.1 Bundle 998 (v7.1.0.284, Platform
      • 3G/4G Bands 1,2,5,6
      • Cryptographic Kernel v3.8.7.1
      • Branding Version:
      • Micro Edition Configuration: CLDC-1.1
      • Micro Edition Profile: MIDP-2.1
      • Micro Edition JTWI Version: 1.0
      • Micro Edition Media Version: 1.1
      • Micro Edition PIM Version: 1.0
      • Micro Edition File Version: 1.0
      • Micro Edition Bluetooth Version: 1.1
      • Micro Edition Location Version: 1.0.1
      • Micro Edition Security and Trust Services (ADPU) Version: 1.0
      • WLAN Version:
      • Cellular Radio Version:, SV 34
  • Apple
    • iPhone 4S
      • Version 5.1.1 (9B206)
      • Carrier AT&T 12.0
      • Model MD234LL
      • Modem Firmware 2.0.12


For this competition contestants are asked to pre-register by contacting ZDI via e-mail at zdi@hp.com.  This will allow us to ensure we have the necessary resources in place to facilitate the attack.  If more than one researcher registers for a given category, the order of the contestants will be drawn at random.  The schedule will be announced a week before the contest.

On-site registration will still be available if the targets have not been compromised and if the required hardware and software prerequisites are available.

Each contestant will have a 30-minute time slot in which to complete their attempt (not including time to set up possible network or device prerequisites).


Q. Will vulnerabilities that have been made public be accepted in the competition?
A. The point of the competition is to discover unpublished 0days in the vectors listed. As a result, we will not pay for public vulnerabilities. Public vulnerabilities can be used as part of a chain provided there is an 0day vulnerability in the category entered.

Q. Do the 0days have to be unique in case multiple vectors are exploited?
A. No, the 0days don't have to be unique in the case where multiple vectors are being exploited. The vulnerability that results in code execution has to be unpublished and it must be located in the selected category (Browser, OS, NFC, SMS, Baseband).

Q. Does the SMS category include MMS?
A. The SMS category includes SMS, MMS, and Cell Broadcast/CMAS.

Q. If NFC is used as a vector to a vulnerability in another application (e.g. browser), which category will the attack be classified under?
A. If the exploit abuses an unpublished weakness in the specific category (e.g. NFC), then it will be accepted into that category. If you are simply utilizing standard functionality to chain to a second vulnerability in a different category, then you will be entered into the OS category, not NFC.

Q. What if I have a question that isn't covered by this FAQ?
A. Please contact us at zdi@hp.com!


Published On: 2012-07-20 08:57:24

Comments post a comment

No comments.