About Keen Team

Keen Security lab was established in 2016 and transformed from the Keen Team. The team attends advanced security research such as PC / mobile operating systems, applications, cloud computing, IOT smart devices etc. As well Keen Security Lab widely focuses on Tencent products and technologies.

Liang Chen

Marco Grassi
Senior Security Researcher

James Fang
Senior Security Researcher

Wu Shi
Senior Security Researcher

Sen Nie
Security Researcher

Qidan He (Edward Flanker)
Security Researcher

Di Shen
Security Researcher

Security Researcher


Win the Virtual Machines Escapes (Guest-to-Host) category with a VMWare Workstation exploit at Pwn2Own 2017.

Master of Pwn title in Pwn2Own 2016

Led the team united with Tencent PC Manager team to win the Master of Pwn title in Pwn2Own 2016

LOS X category in Pwn2Own 2014.

Winner for iOS category in Mobile Pwn2Own 2013.

Lifetime Achievement Award nomination to Wushi for his 10-year continuous contribution to the worldwide security research community.

2 Best Privilege Escalation Award nominations for achievements on Windows TTF and Ping Pong Root.

Proud Speakers for:

Projects Done:

The Keen team successfully exploited vulnerabilities in the above iOS versions. Security researchers of the Keen team focused research on iOS vulnerability, mechanism and exploitation mitigations for a long time. As a result of that, Keen jailbreak overcome the iOS 12.2 Jailbreak on A12 devices. Further, Keen Lab accomplished iOS 12.1 Jailbreak, iOS 12 Jailbreak, iOS 11.3.1 Jailbreak, iOS 11.1.1 Jailbreak, iOS 11 Jailbreak & iOS 10.3.2 jailbreak using various devices at various worldwide hacking conferences. Get the Keen-lab supported jailbreak information as well as all the latest jailbreak information from Keen-Lab Jailbreak page.

Tesla Motors is considered to be one of the most comprehensive cyber-security automakers in the world. Last couple of months Keen team inspected the Tesla car and identified various security vulnerabilities and successfully implemented both physical connections or the Parking and Driving Mode of the Tesla Model S. Proud to say that we used an unmodified car with the latest firmware to demonstrate the attack.

Keen Lab uses the Blitzard kernel error to avoid the Safari renderer sandbox, existing in the blit operation of graphics pipeline for pwn2own. We used our own Exploitation method with The IGVector add function, add Drivers function and mainly with kalloc.48 and kalloc.4096.

Keen Lab focused on kernel exploit mitigations appeared on Android for the recent 2 years. Discovered implementation of mitigations/ bypassing techniques/Android WEXT attack surface analysis & details of three rooting exploits once affected most Android devices.

Pwn of Microsoft Edge comprises both Browser Remote Code Execution and browser sandbox bypass. Browser RCE succeeds by exploiting a Javascript vulnerability. Browser sandbox avoid by logical sandbox escape or Escalation of Privilege through kernel vulnerabilities. Used loops are D3DKMT Present with overflowing fields set in the buffer, D3DKMT Present with overflowing fields set in the buffer from multiple threads and BitBlt from another multiple threads.

The privilege chameleon on macOS
Consisting history of windowserver, basic concepts, architecture, CVE-2014-1314 design flaw and details of the pwnie nomination bug: CVE-2016-1804, which we used to inscribe the latest OS X El Capitan remotely with a browser exploit and improve root access. Resolves several issues discovered by Part 1 still existing in Window Server. Finally Exploited CVE-2016-1804 with full remote root by chaining with Safari exploit. Exploited both userland graphics and kernel graphics.