Three major flagship smartphones—iPhone X, Samsung Milky Way S9, as well as Xiaomi Mi6—were amidst the devices that successfully got hacked at the annual mobile hacking competitor organized past times Trend Micro's Zero Day Initiative (ZDI), earning white chapeau hackers a sum of $325,000 inward reward.
Teams of hackers participated from unlike countries or representing unlike cybersecurity companies disclosed a sum of eighteen zero-day vulnerabilities inward mobile devices made past times Apple, Samsung, as well as Xiaomi, equally good equally crafted exploits that allowed them to completely accept over the targeted devices.
Apple iPhone X Running iOS 12.1 — GOT HACKED!
H5N1 squad of 2 researchers, Richard Zhu as well as Amat Cama, who named themselves Fluoroacetate, discovered as well as managed to exploit a yoke of vulnerabilities inward a fully patched Apple iPhone X over Wi-Fi.
The duo combined a just-in-time (JIT) vulnerability inward the iOS spider web browser (Safari) along amongst an out-of-bounds write põrnikas for the sandbox escape as well as escalation to exfiltrate information from the iPhone running iOS 12.1.
For their demonstration, the yoke chose to recall a photograph that had lately been deleted from the target iPhone, which sure enough came equally a surprise to the individual inward the picture. The query earned them $50,000 inward prize money.
 |
| Richard Zhu as well as Amat Cama (Team Fluoroacetate) |
Another squad of researchers from UK-based MWR Labs (a segmentation of F-Secure), which included Georgi Geshev, Fabi Beterke, as well as Rob Miller, also targeted the iPhone X inward the browser category but failed to instruct their exploit running inside the fourth dimension allotted.
ZDI said it volition instruct those vulnerabilities through its full general ZDI program.
Samsung Milky Way S9 — Also, GOT HACKED!
Besides iPhone X, Fluoroacetate squad also hacked into the Samsung Milky Way S9 past times exploiting a retentivity heap overflow vulnerability inward the phone's baseband factor as well as obtaining code execution. The squad earned $50,000 inward prize coin for the issue.
"Baseband attacks are particularly concerning since someone tin sack direct non to bring together a Wi-Fi network, but they induce got no such command when connecting to baseband," Zero Day Initiative wrote inward a blog post (Day 1).
Three to a greater extent than unlike vulnerabilities were discovered past times the MWR team, who combined them to successfully exploit the Samsung Milky Way S9 over Wi-Fi past times forcing the device to a captive portal without whatever user interaction.
Next, the squad used an dangerous redirect as well as an dangerous application charge inward guild to install their custom application on the target Samsung Milky Way S9 device. MWR Labs was rewarded $30,000 for their exploit.
Xiaomi Mi6 — Yes, This Too GOT HACKED!
Fluoroacetate did non halt there. The squad also managed to successfully exploit the Xiaomi Mi6 handset via NFC (near-field communications).
"Using the touch-to-connect feature, they forced the telephone to opened upwards the spider web browser as well as navigate to their specially crafted webpage," ZDI said.
"During the demonstration, nosotros didn't fifty-fifty realize that activeness was occurring until it was besides late. In other words, a user would induce got no run a jeopardy to foreclose this activeness from happening inward the existent world."
The vulnerability earned the Fluoroacetate squad $30,000 inward prize money.
On Day 2 of the competition, the Fluoroacetate squad also successfully utilized an integer overflow vulnerability inward the JavaScript engine of the spider web browser of the Xiaomi Mi6 smartphone that allowed them to exfiltrate a motion painting from the device.
The põrnikas earned them about other $25,000.
 |
| Georgi Geshev, Fabi Beterke, as well as Rob Miller (MWR Labs) |
MWR Labs also tried its hands on the Xiaomi Mi6 smartphone as well as combined 5 unlike bugs to silently install a custom application via JavaScript, bypass the application whitelist, as well as automatically launch the app.
To accomplish their goal, the white chapeau hackers start forced the Xiaomi Mi6 phone's default spider web browser to navigate to a malicious website, when the telephone connected to a Wi-Fi server controlled past times them.
The combination of vulnerabilities earned the MWR squad $30,000.
On Day 2, the MWR squad combined a download flaw along amongst a soundless app installation to charge their custom application as well as exfiltrate about pictures from the phone. This earned them about other $25,000.
H5N1 split upwards researcher, Michael Contreras, managed to exploit a JavaScript type confusion vulnerability to obtain code execution on the Xiaomi Mi6 handset. He earned himself $25,000.
Fluoroacetate Won 'Master of Pwn' Title This Year
With the highest of 45 points as well as a sum of $215,000 prize money, Fluoroacetate researchers Cama as well as Zhu earned the championship 'Master of Pwn,' logging 5 out of half-dozen successful demonstrations of exploits against iPhone X, Milky Way S9, as well as Xiaomi Mi6.
Details of all the zero-day vulnerabilities discovered as well as exploited inward the competitor volition hold upwards available inward xc days, equally per the pwn2Own contest's protocol, which includes notifying vendors as well as OEM while deployments.
The vulnerabilities volition rest opened upwards until the affected vendors number safety patches to address them.
