Three major flagship smartphones—iPhone X, Samsung Galaxy S9, and Xiaomi Mi6—were among the devices that successfully got hacked at the annual mobile hacking contest organized by Trend Micro's Zero Day Initiative (ZDI), earning white hat hackers a total of $325,000 in reward.
Teams of hackers participated from different countries or representing different cybersecurity companies disclosed a total of 18 zero-day vulnerabilities in mobile devices made by Apple, Samsung, and Xiaomi, as well as crafted exploits that allowed them to completely take over the targeted devices.
Apple iPhone X Running iOS 12.1 — GOT HACKED!
A team of two researchers, Richard Zhu and Amat Cama, who named themselves Fluoroacetate, discovered and managed to exploit a pair of vulnerabilities in a fully patched Apple iPhone X over Wi-Fi.
The duo combined a just-in-time (JIT) vulnerability in the iOS web browser (Safari) along with an out-of-bounds write bug for the sandbox escape and escalation to exfiltrate data from the iPhone running iOS 12.1.
For their demonstration, the pair chose to retrieve a photo that had recently been deleted from the target iPhone, which certainly came as a surprise to the person in the picture. The research earned them $50,000 in prize money.
|Richard Zhu and Amat Cama (Team Fluoroacetate)|
Another team of researchers from UK-based MWR Labs (a division of F-Secure), which included Georgi Geshev, Fabi Beterke, and Rob Miller, also targeted the iPhone X in the browser category but failed to get their exploit running within the time allotted.
ZDI said it will acquire those vulnerabilities through its general ZDI program.
Samsung Galaxy S9 — Also, GOT HACKED!
Besides iPhone X, Fluoroacetate team also hacked into the Samsung Galaxy S9 by exploiting a memory heap overflow vulnerability in the phone's baseband component and obtaining code execution. The team earned $50,000 in prize money for the issue.
"Baseband attacks are especially concerning since someone can choose not to join a Wi-Fi network, but they have no such control when connecting to baseband," Zero Day Initiative wrote in a blog post (Day 1).
Three more different vulnerabilities were discovered by the MWR team, who combined them to successfully exploit the Samsung Galaxy S9 over Wi-Fi by forcing the device to a captive portal without any user interaction.
Next, the team used an unsafe redirect and an unsafe application load in order to install their custom application on the target Samsung Galaxy S9 device. MWR Labs was rewarded $30,000 for their exploit.
Xiaomi Mi6 — Yes, This Too GOT HACKED!
Fluoroacetate did not stop there. The team also managed to successfully exploit the Xiaomi Mi6 handset via NFC (near-field communications).
"Using the touch-to-connect feature, they forced the phone to open the web browser and navigate to their specially crafted webpage," ZDI said.
"During the demonstration, we didn't even realize that action was occurring until it was too late. In other words, a user would have no chance to prevent this action from happening in the real world."
The vulnerability earned the Fluoroacetate team $30,000 in prize money.
The bug earned them another $25,000.
|Georgi Geshev, Fabi Beterke, and Rob Miller (MWR Labs)|
To achieve their goal, the white hat hackers first forced the Xiaomi Mi6 phone's default web browser to navigate to a malicious website, when the phone connected to a Wi-Fi server controlled by them.
The combination of vulnerabilities earned the MWR team $30,000.
On Day 2, the MWR team combined a download flaw along with a silent app installation to load their custom application and exfiltrate some pictures from the phone. This earned them another $25,000.
Fluoroacetate Won 'Master of Pwn' Title This Year
With the highest of 45 points and a total of $215,000 prize money, Fluoroacetate researchers Cama and Zhu earned the title 'Master of Pwn,' logging five out of six successful demonstrations of exploits against iPhone X, Galaxy S9, and Xiaomi Mi6.
Details of all the zero-day vulnerabilities discovered and exploited in the competition will be available in 90 days, as per the pwn2Own contest's protocol, which includes notifying vendors and OEM patch deployments.
The vulnerabilities will remain open until the affected vendors issue security patches to address them.