Chain of 11 Bugs Takes Down Galaxy S8 at Mobile Pwn2Own

Researchers from MWR Labs used 11 vulnerabilities across six different mobile applications to execute code on a Samsung Galaxy S8 at Mobile Pwn2Own.

The mobile version of the annual Pwn2Own contest wrapped up today in Tokyo with an unprecedented attack chain leveling the Samsung Galaxy S8.

Researchers from MWR Labs used 11 vulnerabilities across six different mobile applications to execute code on Samsung’s flagship device and exfiltrate data. The zero day was worth $25,000 in prize money.

“The multitude of bugs also allowed them to persist after a reboot,” said contest organizers ZDI Initiative in a statement.

ZDI said this year’s event yielded 32 vulnerabilities which it purchased; the contest handed out $515,000 to researchers. All exploits must be for previously unreported bugs, and once confirmed, are disclosed to the respective vendors. The vendors are given 90 days to patch or communicate a reasonable reason why the bug isn’t fixed, otherwise, ZDI publishes a public advisory with limited details.

The contest began Tuesday with five successfully demonstrated exploits and $350,000 in prize money handed out. Contestants also had to contend with a medley of patches released by the respective vendors on Nov. 1, including updates to iOS from Apple, and Android from Google. All of the devices used in the event were fully patched, ZDI said.

MWR earned another $25,000 with another lengthy chain of five vulnerabilities in different Huawei applications to escape the browser sandbox on the Huawei Mate9 Pro on Chrome, and exfiltrate data.

Qihoo 360 Security of China also cashed in to the tune of $45,000 with two successful exploits against the iPhone 7.

The first required three bugs, but one of which had already been demonstrated and disclosed by another competitor. The attack, however, did get the researchers code execution through Wi-Fi on the Apple device and was worth $20,000.

The second Qihoo attack earned the researchers $25,000 for exploit against Safari using one vulnerability in the browser and a second in a system service, ZDI said.

Researcher Amat Cama, who goes by the handle Acez, used a stack buffer overflow to get code execution on the Galaxy S8 baseband processor, earning $50,000.

On Day 1, Tencent Keen Security Lab of China were huge winners netting $255,000 for two successful attacks against the iPhone 7 and a baseband attack against the Huawei Mate9 Pro baseband processor.

Qihoo 360 started the event with a $70,000 prize for a Galaxy S8 browser bug.

Researchers Richard Zhu won another $25,000 for a Safari bug on the iPhone 7.

Suggested articles

Hey Alexa, Who Am I Messaging?

Research shows that microphones on digital assistants are sensitive enough to record what someone is typing on a smartphone to steal PINs and other sensitive info.