Back to All Events

Pwning Nexus of Every Pixel: Chain of Bugs demystified

by Qidan He, KeenLab, Tencent

The security of Android devices has been strengthened a lot since the release of Android Nougat, thanks to the great work by Android Security Team, making the life of attackers harder. However where there is a will, there is a way. After months of research we've successfully come up with a chain of exploitation to tackle this challenge. In October 26th Mobile Pwn2Own 2016 Tokyo, KeenLab scored Master of Mobile Pwn2Own by pwning Nexus and Pixel running newest Android using three bugs, allowing us to install arbitrary applications and take control of all juicy permissions such as SMS, Photo, Microphone and Contact. In this talk we will dive in details about the JIT compiler infrastructures and engines of V8 (e.g. crankshaft), which is rarely talked about before, and how OOBs occur under certain carefully prepared conditions and turned into full exploit. We will then explain how to use two logical bugs, one in Chrome IPC to break out the Chrome Android's sandbox in `unexptected` ways and finally get arbitrary application installation.