Google’s Pixel, the smaller of the two new phones from Google, presents Android 7.1 (Nougat) in a hand-friendly package. The hardware is powerful, and the software is clean, robust, and mostly secure. Like literally any other device that runs software ever made, of course, there is bound to be at least one way to get the phone to jump through hoops that it shouldn’t be jumping through, and hacking team 360 Alpha Team, affiliated with Qihoo 360, happened to find one of those ways. They took to the floor at the first day of the PWNFEST security enthusiast and white hat hacker convention to show off their exploit, and walked away with $120,000 for their troubles.
The exploit in question was undisclosed, but allowed for remote code execution without proper authorization. In essence, the hack would allow somebody to not only gain full control of a Pixel, but also access all of the data on it, encrypted or not. 360 Alpha Team’s people showed off the exploit by having the pwned device open up the front page of the Play Store without having anybody touch the phone, then crack open a Chrome window that displayed the text, “Pwned by 360 Alpha Team”. Since the nature of the hack was not publicly disclosed, it’s unknown if it affects only Pixel devices, all Android 7.1 devices, or all Android devices in general.
This is not the Pixel’s first time being pwned, showing that the newly released dichotomy of devices has a bit of a ways to go when it comes to security. The last time a Pixel was hacked was less than two weeks ago, at the hands of Tencent’s Keen Team. The hack was of the zero-day variety, and was shown off at Japan’s Pwn2Own event, a well-known hackfest where, as the name implies, those who can hack a device will get one, among other prizes. That exploit is still unpatched to this day, and Google is working on a fix for both it and the more recent vulnerability found by 360 Alpha Team. With the November security patch already being out, the Android faithful can probably expect to see these two flaws patched up in one of the future security updates.
