The Israeli publisher won the prize for the best mobile fault, which he also used in his Pegasus spy software. Google was pilloried for ruining an anti-terrorist operation.
As every year, the hacker community found itself on the sidelines of the Black Hat conference to award the “Pwnie Awards”, pretty little ponies that reward particular performances… or fiascos in the field of computer security.
This year, as the Heise.de website reports, the winners are particularly interesting, starting with NSO Group. The Israeli publisher, singled out for its commercial strategy with little regard for human rights, received the prize for the best mobile flaw (“ Best MobileBug ) for “ForcedEntry”, an attack carried out on iOS terminals. You could say that’s a little cynical, but from a technical point of view, it’s well deserved.
Google security researchers analyzed NSO’s work in detail and were blown away by the level of complexity. Israeli hackers have used iMessage to create a 0-click attack capable of bypassing Apple’s brand new “BlastDoor” protection device. And to achieve this, they literally created a Turing-complete virtual machine within an iPhone image parser, complete with registers, logical operators and all that goes with it. Pure madness. According to Vice, no representative of NSO has yet come to recover his little pony. That’s a shame.
“Private sales” on HackerOne
Google, for its part, received the award for the worst supplier reaction (“ Latest Vendor Response “). In 2021, the computer giant revealed a hacking campaign that relied on 11 zero-day flaws in Windows, Android and iOS. In reality, it was a Western counter-terrorist operation which, as a result, was ruined. Google couldn’t ignore this, but the company stuck to its guns, putting bug hunting above any other ethical consideration. An inappropriate reaction, considered the jury.
The price of the biggest fiasco (“ Most Epic Fail “) was awarded to an employee of HackerOne, an online platform for hunting down computer vulnerabilities. The winner had access to the vulnerabilities reported by users and used them without any scruple to organize parallel private sales of zero-day vulnerabilities. Sure, he was in the right place to do it. But, it will probably never be again.
In a more fun way, the prize for the best song (“Best Song”) was awarded to the Mammoth project and its track “Dialed Up”. Long of 3 minutes and 24 seconds, it embeds a whole “Capture The Flag” type treasure hunt with a dozen challenges to solve. The game started on August 6 and will end on August 15.
Other winners include:
- the searcher Yuki Chen who single-handedly found more than 50 flaws in Windows Server (“Most Epic Achievement”),
- the group of researchers who found the HertzBleed attack (“Best Cryptographic Attack”),
- Dawn Security Lab for the Mystique vulnerability in Android (“Best Privilege Escalation”),
- the searcher Yannayl for its IP spoofing technique (“Most Under Hyped Research”),
- the Kunlun Lab company for the discovery of a zero-day flaw that dated back more than twenty years in Windows RPC and which reached a dangerousness score of 9.8 out of 10 (“Best Remote Code Execution”),
- the group of researchers who found the recent Aepic Leak flaw in Intel and AMD processors (“Best Desktop Bug”),
- researchers from the Sapienza University of Rome for the creation of the Custom Processing Unit (“Most Innovative Research”) dynamic analysis tool.