White hat hackers and IT security researchers have once again proved their elite skills at Pwn2Own 2018 after exposing critical security vulnerabilities in products developed by popular vendors like Apple, Samsung, and Xiaomi.
Pwn2Own is organized by cybersecurity giant Trend Micro’s Zero Day Initiative in Tokyo where hackers took part in exploiting zero-day flaws in products developed by the aforementioned popular vendors.
1st day at Pwn2Own Tokyo 2018
Xiaomi Mi 6 hacked
On the first day at Pwn2Own (November 13th, 2018), a team of white hat hackers called “Fluoroacetate” led by Richard Zhu and Amat Cama used an NFC exploit to successfully hack Xiaomi Mi 6 smartphone. As a result, the team earned $30,000.
Xiaomi Mi 6 and Samsung Galaxy S9 hacked
Next team who participated in the event was MWR Labs from the United Kingdom led by Georgi Geshev, Fabi Beterke, and Rob Miller. The team also exploited vulnerabilities in Xiaomi Mi 6 and earned $30,000 after hacking the device with a code execution flaw through WiFi.
In another attempt; the team successfully installed an application on the device via JavaScript. Furthermore, MWR Labs earned an additional $30,000 for hacking the Samsung Galaxy S9 device by combining three different bugs thus allowing them to run a malicious application to install their custom application without user interaction.
Samsung Galaxy S9 and iPhone X hacked
The Fluoroacetate team made a comeback by targeting Samsung Galaxy S9 with a code execution exploit through a heap overflow in the phone’s baseband component – The successful hack earned the team $50,000. Moreover; in another demonstration, Fluoroacetate hacked an iPhone X over WiFi. In its attack, the team used a Just-In-Time (JIT) flaw and an Out-Of-Bounds write bug – The team earned $60,000 USD for their iPhone X hack.
Xiaomi Mi 6 hacked
In the last demonstration for day one, an IT security researcher Michael Contreras won $25,000 by hacking the Xiaomi Mi 6 browser by exploiting a type confusion in JavaScript.
2nd day at Pwn2Own Tokyo 2018
iPhone X hacked
On the second day at Pwn2Own Tokyo 2018, hackers from team Fluoroacetate hacked iPhone X. The hack was of high significance as it demonstrated how malicious hackers can steal deleted photos from the targeted phone.
In its attack, the team used an out-of-bounds access flaw along with Just-In-Time (JIT) bug leading to exfiltrating personal data from iPhone X – This team earned $50,000 for this hack.
Xiaomi Mi 6 hacked
The Fluoroacetate team also utilized their skills on Xiaomi Mi 6 device and hacked the device’s web browser using integer overflow in the JavaScript engine. The hack allowed the team to exfiltrate a picture from the phone – The hack earned the team $25,000.
Xiaomi Mi 6 hacked again
The Xiaomi Mi 6 smartphone was once again hacked after the MWR Labs team targeted its web browser by downloading a bug and installing an app on the device to load their own application to steal photos saved on the device – This feat earned the team another $25,000.
A standout result according to the organizers; the title Master of Pwn! was earned by Amat Cama and Richard Zhu Fluoroacetate with $215,000 and 45 points.
The security vulnerabilities exposed and exploited by hackers during the Pwn2Own Tokyo 2018 highlight the vulnerable state of expensive smartphones. It also proves that smartphones regardless of how high-profile and well known their vendors are, are highly vulnerable to malicious attacks and pose a critical threat to our overall privacy and to the data stored on them.