Apple's software security has reportedly been defeated at the Tianfu Cup hacking contest in China, with thousands of dollars worth of prizes being handed out to participants for demonstrating vulnerabilities in Safari and iOS 14.
The winning team at the 2020 Tianfu Cup contest
The contest, which took place on Saturday and Sunday, saw teams attempting to successfully demonstrate exploits that attack a wide variety of hardware. For the 2020 competition, the Apple-specific targets for the teams were Safari running on a 13-inch MacBook Pro and iPhone 11 Pro running iOS 14.
Each device had a list of requirements to meet to qualify for prizes given out by Tianfu Cup's organizers. For Safari, which had security researchers using Safari to browse a remote URL and enable the control of the browser or the Mac, $40,000 was on offer for a successful remote code execution (RCE) attack, rising to $60,000 for an RCE with a sandbox escape.
For the iPhone and iOS 14, teams had similar requirements as for Safari, but with the addition of needing to "bypass the PAC mitigation." The RCE earned hackers $120,000 if successful, rising to $180,000 and additional prizes for a sandbox escape and $300,000 for a remote jailbreak.
According to the published results, one team managed a sandbox escape in Safari, while two sandbox escapes were performed in iOS 14, resulting in payouts totaling $420,000.
The details of the exploits were not released, but were provided to Apple for patching under a responsible disclosure policy. Once patched, or a sufficient period of time has passed, the details of the vulnerabilities are usually shared by the researchers who discovered them.
Now in its third year, the Tianfu Cup is largely modeled after Pwn2Own in structure, with many of the researchers previously taking part in that competition. A change in Chinese regulations effectively banned security researchers from taking part in international contests, over national security fears.
The winning team from the weekend was the Qihoo 360 Enterprise Security and Government Vulnerability Research Institute, earning $744,500 from its submissions. Second place went to Ant-Financial Light-year Security Lab with $258,000, while security researcher "Pang" was third with $99,500.