RIM to Co-Sponsor 2012 Mobile Pwn2Own Contest

By Michelle Haag on 27 Jul 2012 06:11 pm EDT
BlackBerry is secure!
Research In Motion is co-sponsoring this year's Pwn2Own competition along with AT&T, HP DVLabs, and TippingPoint. The event, being held at the EUSecWest conference in Amsterdam on September 19th and 20th, will be the first Pwn2Own dedicated to the mobile attack surface. The primary goal is to demonstrate the current security posture of the most prevalent mobile technologies in use today; including attacks on mobile web browsers, Near Field Communication (NFC), Short Message Service (SMS), and the cellular baseband.

Contestants will choose the device they wish to compromise during pre-registration with phones such as the BlackBerry Bold 9930, Samsung Galaxy S3, Nokia Lumia 900, and the iPhone 4S as some of the options. The exact OS version, firmware and model numbers will also be coordinated during pre-registration. The only requirement is that it be a current device and running the latest operating system. For those registering on-site, the devices listed above will be available if the target is not already compromised.

A successful attack against these devices must require little or no user interaction and must compromise or exfiltrate useful data from the phone. Any attack that can incur cost upon the owner of the device (such as silently calling long-distance numbers, eavesdropping on conversations, and so forth) is within scope. To avoid interfering with licensed carrier networks, all RF attacks must be completed within the provided RF isolation enclosure.  The vulnerabilities utilized in the attack must be an 0-day.

What's a competition without prizes? A successful compromise of any of these targets will win the contestant the cash prize, the device itself, and 20,000 ZDI reward points which immediately qualifies them for Silver standing. (Benefits of ZDI Silver standing include a one-time $5,000 USD cash payment, 15% monetary bonus on all ZDI submissions over the next calendar year, 25% reward point bonus on all ZDI submissions over the next calendar year and paid travel and registration to attend the 2013 DEFCON Conference in Las Vegas.)

On top of that, the first researcher to compromise a device for each of the vectors will receive a BlackBerry PlayBook as well as the prize money listed below.

  • Mobile Web Browser - $20,000 USD
  • NFC - $40,000 USD
  • SMS - $40,000 USD
  • Cellular Baseband - $100,000 USD
If you're interested in registering, you must contact ZDI via email. Complete details and registration information can be found at the link below.

More information about Pwn2Own from TippingPoint
Discuss in the forums
Michelle Haag Michelle Haag "@_Miche11e_ and C0001B3B5" 1214 (articles) 1695 (forum posts)

Reader comments

RIM to Co-Sponsor 2012 Mobile Pwn2Own Contest


If I understand it right, They are asking the people to hack these phones? I think this will be a real chance to RIM to rise from others. I bet the Android os would be the first one to go then IOS, and Blackberry will stand tall.

Yep, it's exactly what they do. Some of these guys are impressive. An iphone was hacked in 20 seconds one year. It took someone 15 minutes(or there about) but they were able to access a couple things on a BlackBerry, nothing too important though.

20 seconds?? Cripes. Wonder which device carly rae jepsen was using when her nude photos and vids were hacked and posted on the 'Net. Call me maybe... Curious.

Ok. This is warranted. We're talking about mobile security. "Call Me, Maybe" is the song that made her popular. You're just a fucking idiot.

BlackBerry dominates in security! This is why I think BlackBerry will be around for a long time!.. Privacy is a must for most people. Imagine if people see how easy other platforms can be hacked. That's a HUGE turn off..


It seems like the rules are really restrictive in terms of the possible modes of attack. I just hope that RIM has "rigged" the contest to ensure there is a winner.

I hope Google does not fund someone to create an attack on IOS and BB just to prove a point. It is my understanding that everthing is hackable given enough time or money.

Is the activation of encryption allowed?


Let whomever come with whatever regardless of where their tools/tricks originate; no holds barred. Allow each company to fund whomever they want. It's good for the industry as a whole. Malicious hackers aren't constrained by rules or parameters.

From reading the article it was really tough to exploit BB6. it's doable but it's still the most secure and required more effort. I'm wondering why BB7's OS wasn't tested instead, seeing that it's RIM latest released OS.

Your quote was about the 2011 contest. I haven't read anything about BB7's being exploited yet. We can still be confident (not cocky).