Chinese hackers clean up at PwnFest contest

Members of Qihoo 360's cyber security team won the gold "Lord of Pwn" trophy during the PwnFest contest held Nov 10-11 in Seoul, South Korea. [Photo provided to chinadaily.com.cn]

Chinese cyber security contestants from Qihoo 360 were crowned "Lords of Pwn" at last week's PwnFest in South Korea.

PwnFest is a newly-launched vulnerabilities pwning contest run by South Korean cyber security conference organizer, the Power of Community (POC).

Supported by Microsoft, Google, Apple, Adobe and VMware, the contest provides valuable information to the companies to enable them to patch software to prevent dark-side hackers exploiting holes for malicious purposes.

The $1.7 million-prize for winning the contest overall is the highest of similar competitions in the industry.

Teams from Qihoo 360 Technology, one of China's largest cyber security companies, defeated rivals in the pwning challenges targeting Microsoft Edge, VMware Workstation, Adobe Flash and Google Pixel. They won the gold "Lord of Pwn" trophy and a total of $530,000 in prize money for taking home the most medals.

The VMware hasn't been cracked for seven years.

The targets of the contest were chosen from a variety of systems that have been updated recently, including Microsoft Edge, Android 7.0, Microsoft Hyper-V, Google Chrome, Apple iOS 10 and Safari + Mac OS X Sierra, Adobe Flash and VMware Workstation Pro 12.

A joint team of Pangu, a Chinese hacking team famous for iOS jailbreaks, and JH hackers, claimed the $100,000 prize for finding the latest Safari weakness that gave them root access to Mac OS Sierra.

Chen Xiaobo, one of the core members of Pangu, told the media that they still have the ability to jailbreak the latest iOS 10.1.1.

The team delivered a speech named "Analysis of iOS 9.3.3 Jailbreak & Security Enhancements of iOS 10" at the POC 2016 conference which is held alongside the contest. They discussed some security enhancements in iOS 10 and new hardware-based protection for iPhone7 Plus.

"In fact, iOS 10 has fixed lots of unpublished bugs and enhanced some security mechanisms such as KPP, sandbox and the kernel heap management," the team said.

Another participant named Jung Hoon Lee, a 22-year-old South Korean known as Lokihardt, earnt almost $300,000 at the PwnFest competition for pwning Microsoft Edge and VMWare Workstation.

Six topics from Chinese teams were chosen to be presented at the conference, covering research into the vulnerabilities of web browsers, mobile operating systems, virtual systems and autonomous driving.

Four of the six were presented by teams from Qihoo 360's cyber security innovation center, including 360Vulcan, 360Marvel, 360Unicorn and 360Sky-go teams, which specialize in security research and development for operating systems and software, virtual systems, wireless and automobile industries.

Zheng Wenbin, known as MJ0011, heads the vulnerability research team, which has achieved hundreds of Common Vulnerabilities and Exposures (CVEs) from Microsoft, Apple and Adobe.

Being a regular at POC, Zheng said that although the numbers of attendees and topics of POC were fewer than some of the word's high-profile hackers' events, such as Black Hat, some of the issues on the agenda were about cutting-edge technologies in the security industry.