Launched just last month, Google’s own Pixel smartphone lineup has been hacked into by a team of Chinese hackers at the PwnFest 2016 event. While the Mountain View-based tech giant didn’t exclusively boast about any security features of the Pixel at the launch event, one obviously assumes that the device will most likely be safe from intrusion.
On Friday, at the PwnFest 2016 hacking competition in Seoul, a team of white-hat hackers operating under the moniker ‘Qihoo 360’ demonstrated a zero-day vulnerability(undisclosed and unpatched) to gain access to the Pixel in under 60 seconds. This exploit, as noted by The Register, allowed the intruders to execute remote code and install malicious code on Google’s new own-brand smartphones with ease.
As demonstrated on stage at the hacking event, Qihoo 360 used the vulnerability to launch the Google Play Store before opening Chrome and displaying a web page with the message “Pwned By 360 Alpha Team”. Now, they showcased that access to no application including contacts, photos, messages, and phone calls was out of their reach.
This super-fast exploit not only helped the Chinese hacker team win a cash prize worth $120,000 but also made Google aware of a huge gaping hole in the security protocols of its new smartphone.
This is, however, not the first time that security vulnerabilities of the Google Pixel have been reported by a hacker team. Prior to Qihoo, Keen Team of Tencent discovered and used a zero-day exploit to gain access to phone data at the Mobile Pwn2Own event in Japan. The two vulnerabilities have been reported to Google and will most likely be fixed via monthly security update patches.
In addition, Qihoo 360 disclosed major zero-day vulnerabilities in the Edge browser on Microsoft’s Windows 10 and Adobe’s Flash — which was open to exploitation using a decade-old, use-after-free zero-day vulnerability. The team walked away from the event with a hefty $520,000 in monetary prizes.