iPhone X, Samsung Galaxy S9, and Xiaomi Mi 6 fall prey to hacking in the Pwn2Own hacking competition in Tokyo
Trend Micro-sponsored Pwn2Own, the annual hacking contest, that took place at the PacSec security conference in Tokyo, saw hackers successfully exploit iPhone X, Samsung Galaxy S9, and Xiaomi Mi6. Other handsets such as Google Pixel 2 and Huawei P20 too were involved in the contest.
For those unaware, Trend Micro, a global leader in cyber-security solutions, hosts Pwn2Own in an effort to promote its Zero Day Initiative (ZDI) program, that is designed to reward security researchers to exploit the latest and most popular mobile devices and demonstrate and disclose major zero-day vulnerabilities to tech companies. Following the contest, vendors will have 90 days to produce patches for these bugs.
Day 1 at the Pwn2Own Tokyo 2018
At the start of day one, Amat Cama and Richard Zhu from the “Fluoroacetate” team were the first to hack Xiaomi Mi 6 with the help of NFC component.
They used the touch-to-connect feature to force-open the web browser on the phone and navigate to their specially crafted webpage following which the webpage exploited an Out-Of-Bounds write in WebAssembly to get code execution. This hack earned them $30,000 USD and 6 Master of Pwn points.
“During the demonstration, we didn’t even realize that action was occurring until it was too late. In other words, a user would have no chance to prevent this action from happening in the real world,” ZDI reports in a blog post.
Later, the Fluoroacetate team went on to exploit another handset, Samsung Galaxy S9. They used a heap overflow in the baseband component to get code execution on the device. This hack earned the team another $50,000 USD and 15 more points towards Master of Pwn. Fluoroacetate also hacked iPhone X via Wi-Fi using a pair of bugs – a JIT (Just-In-Time) vulnerability in the web browser followed by an Out-Of-Bounds write for the sandbox escape and escalation. This hack fetched them another $60,000 USD and 10 additional Master of Pwn points.
Besides the Fluoroacetate team, another team MWR Labs (Georgi Geshev, Fabi Beterke, and Rob Miller) from UK too tried their luck on Xiaomi 6 and Samsung Galaxy S9. In the case of Xiaomi 6, they used a code execution exploit via Wi-Fi that forced the default web browser to navigate to a portal page. They then chained additional bugs together to silently install an application via JavaScript, bypass the application whitelist, and automatically start the application. This hack earned the MWR team $30,000 USD and 6 Master of Pwn points.
The MWR Labs team also combined three different bugs to successfully exploit the Samsung Galaxy S9 over Wi-Fi. They forced the phone to a captive portal without user interaction, then used an unsafe redirect and an unsafe application load to install their custom application. Although they failed in their first attempt, they successfully hacked in its second attempt, which earned the team $30,000 USD and 6 more Master of Pwn points.
Michael Contreras, a researcher who was last entry of the day, received $25,000 USD and 6 Master of Pwn points for hacking the Xiaomi Mi 6 browser via JavaScript type confusion flaw.
Day 2 at the Pwn2Own Tokyo 2018
The second day at the Pwn2Own Tokyo 2018 started with Fluoroacetate team exploiting one more zero-day vulnerabilities in iPhone X and Xiaomi Mi 6.
Their first iPhone X zero-day combined a JIT bug in the browser along with an out-of-bounds access that resulted in a deleted photo getting exfiltrated from the targeted phone. This hack fetched them a $50,000 USD.
In the case of Xiaomi Mi6, the team used an integer overflow vulnerability that allowed them to exfiltrate a picture from the device, earning them an additional $25,000 USD.
MWR Labs too successfully hacked the Xiaomi Mi6 on the second day. They loaded a custom application by combining a download bug along with a silent app installation and stole some pictures from the phone. They earned $25,000 USD for this hack.
Team Fluoroacetate with a total of 45 points and $215,000 USD in prizes won the title of Master of Pwn!
