
Google Pixel pwned in 60 seconds - jonbaer
http://www.theregister.co.uk/2016/11/11/google_pixel_pwned_in_60_seconds/
======
pgodzin
So they spend weeks developing the exploits and when they present it the
headline is that it took 4 or 60 seconds? They even used the phrase "breached
Adobe Flash with a flick of the finger" as if anyone could hack it with a
finger gesture.

~~~
seanp2k2
Yeah, it's pretty disingenuous reporting / [intentional] misunderstanding to
sensationalize headlines. I'm sure many dozens of hours of work went into each
of these, more likely hundreds. It only impresses people with no familiarity
with this type of thing.

~~~
guitarbill
No it's not. The timings represent a good proxy for how easy it is to pull off
the (weaponised) exploit in the wild.

For example Flash, even when sandboxed, continues to be an extremely easy and
lucrative attack vector (relatively speaking). Four seconds puts the exploit
in drive-by territory.

A sixty second web exploit is not so useful for "cyber" criminals. But if you
can "compromise all aspects of the phone including contacts, photos, messages,
and phone calls" in 60 seconds, this is probably worth it.

------
mrlatinos
As great it is that these exploits are being discovered by the right people, I
always cringe at how douchey these competitions are and how journalists use it
as an opportunity to undermine companies they don't like for whatever reason.

~~~
nojvek
On the other hand if no one called out on the security holes of flash, and
your data was sniffed by the wrong people.

A phone is an extension of you. Security is paramount.

------
anondon
It looks like these exploits require either shell access or installing an app
that contains the exploit code.

Apart from the Flash vulnerability, did any of the exploits use Chrome to gain
all permissions on the Pixel? That would be scary, because the user would just
have to be served Javascript containing malicious code or visit an affected
website.

Why isn't Linux or the BSDs usually included in these pawn competitions?

~~~
pjmlp
At least for GNU/Linux, because it would be too easy given the current state
of affairs as discussed this year's Linux Security Summit.

[http://arstechnica.com/security/2016/09/linux-kernel-
securit...](http://arstechnica.com/security/2016/09/linux-kernel-security-
needs-fixing/)

Given its use across the industry, and being written in C, GNU/Linux has
become the target they used to joke about Windows since its existence.

For the BSDs, I imagine only OpenBSD would be an hard nut to crack given their
focus on security. Then again, it isn't an OS that has much desktop visibility
like the systems that are part of this competition.

------
old-gregg
How do these competitions declare a winner? Snippets like "it only took 4
seconds" suggest they use the total exploit running time as the only criteria?

~~~
wepple
they go into a randomized lottery which decides who gets to run their exploit
first. They then have a set time to exploit the device (commonly 2 minutes),
and if they can't do it the next team in gets to go.

Generally once a target has been compromised, no other teams are allowed to
use the same vulnerabilities. this prevents a team from sharing an
exploit/vuln to others who run it again. The downside is that if you've been
working on an exploit chain for 6 months but a team runs a similar bug ahead
of you, your work is worthless.

------
Theodores
...this had me concerned for a minute, then I read the article and realised
that 'Pixel' now means a phone and not a Chromebook. Panic over!

~~~
seanp2k2
Yeah, it makes no sense to me for Google to throw away their Nexus brand and
all the good will they built up behind it. If the Pixel (phone) was really
made by Google, it might make a bit of sense to keep the Pixel branding in the
sense that it's manufactured by Google vs Nexus where it's not. But the pixel
phone is made by HTC, just like the Nexus phones. To add to the confusion,
they already had the Chromebook Pixel (small laptop), the Pixel C (tablet),
and now the Google Pixel (phone). I half expect their next device to be the
Pixel Potato, given their numbering sequence.

~~~
kijin
Nexus kinda ran out of numbers, since they already used 7 for the tablet.

Google experimented for a while with weird model numbers like 5X and 6P, but
seems to have decided against continuing it. It's the version wars all over
again. Who wants to be stuck at 5 and 6 when Apple is at 7, Samsung will soon
return with an 8, and Microsoft already played the "we'll skip ahead to 10"
card?

~~~
paulryanrogers
Where is SemVer for hardware models?

~~~
ddispaltro
SemVar is alive and well for hardware, every revision is incompatible with the
previous.

------
lanius
$520,000 in a day. I wonder how many man-hours were spent prior to the
competition?

~~~
samfisher83
They work for a chinese anti virus company Qihoo 360. I wonder who got the
prize money, the hackers or the company.

------
drieddust
Kudos to team but these events demonstrate how broken the security is and why
we should be scared.

A complete redesign is required but it won't happen unless it causes major
catastrophy and losses.

~~~
yincrash
Is there a source for why a complete redesign would be needed?

~~~
drieddust
Yes if an user program like flash results in pwning the device, security model
is broken. Ideally when a user level program is compromised it should not be
able to impact OS in any condition if security architecture was adhered to as
it was envisioned. But every single OS out there have chosen the easyway out.

On hardware level CPU rings exist to protect kernel from rogue programs and
each other but in reality all that protection is either completely or
partially circumvented.

I read a paper on this a year back. I will try to find the link and post it
here.

~~~
yincrash
Okay, apologies, I thought you were talking about the Pixel. After watching
the video, it's unclear whether or not the exploit was in a user mode
application or one with system permissions.

~~~
drieddust
Apple Safari, Adobe Flash, Microsoft Edge they all are user mode applications.
If they are not then problem is impossible to solve anyways.

------
cagey_vet
breathless exclamations of relative ease of exploit execution is just
subjective editorial flair, for those keeping track of the well-intended
neophyte observations. The entire thing comes off subjective. In modern
journalism courses don't they preach about avoiding that pitfall? Unless
everyone in tech writing wants to be Hunter Thompson by breaking all the
rules.

~~~
grzm
I think it's more likely that many authors of on-line publications don't have
journalism degrees or haven't taken courses. The web has made it easier for
anyone to publish, which is great. People have been able to hone their writing
skills and get feedback (through eyeballs and clicks) on how to increase their
audience. However, that incentive alone doesn't necessarily align with
quality.

As professional journalism has moved from print to on-line, they've been
struggling to figure out how to sustain their businesses. The on-line
incentives for eyeballs/clicks is now strong for them as well, and they've
understandably hired people who have proven to attract online readers. Early
on it was clearer to identify the "blog" section of an online publication, but
that's become increasingly difficult.

Stray thought: Is there a resource out there to view the credibility of
stories by byline?

------
TwoBit
Any Chrome or Firefox breaches?

~~~
wepple
firefox isn't included in these competitions; it was a while back but has been
removed.

not 100% sure why, but I figure Mozilla don't pay out significant bounties and
compromise of the browser is relatively easy compared to other targets given
there's no real sandbox.

------
bitmapbrother
MacOS Sierra was hacked in 20 seconds and Flash in 4 seconds.

