Eastern Promises: Mobile VRP Lessons For Bug Hunters

In the past few years, we’ve tried our hand at Vulnerability Reward Programs of all kinds of mobile vendors’ products and attack surfaces. Like many others, we’ve encountered as many misses as hits, learning valuable lessons from the mistakes we (and sometimes the vendors) have made. In this talk, we will focus on the takeaways from all this. Some of it has got to do with how to and not to select an attack surface or a product model, how to decide what to give up on and what to double down on, and how to make the best use of the decisions that vendors communicate and the security updates they publish.

To keep the content technical, we’ll go back to our vault of Android vulnerabilities and discuss some of our past VRP submissions in the context of lessons to take from them. We will include examples from several vendors (Mediatek, Unisoc, Samsung, Huawei), span the last 5+ years to demonstrate instances of progress that VRPs have actually made, and dive into different attack surfaces including networking stacks, privilege separation escalations into and below the Kernel level, and everyone’s favorite category: OEM security “features”.

While discussing vulnerabilities both old and new, to our knowledge we’ll describe the first public examples of: * emulation and fuzzing of Huawei Kirin Hypervisors, * bug hunting in a particular remotely accessible interface of Mediatek Chipsets, and * a deep-dive into the reverse engineering and security analysis of Unisoc’s TEE.

Each of those case studies will feature vulnerabilities disclosed for the first time and we will include exploit demos as well.

Throughout these examples, we’ll talk about our target selection, bug triage, rca, variant analysis, and patch tracking fails, and provide suggestions on how to avoid falling into the same traps.