Three major mobile phone models – the Samsung Galaxy S9, iPhone X and the Xiaomi Mi6 – failed to survive the hacker onslaught at this year’s Pwn2Own Tokyo 2018.
In all, 18 exploits, with some attacks chaining together as many as five exploits, were used to own the three phones and earn hacker teams a collective $325,000 in prize money.
On day one of the two-day hacking contest, team Fluoroacetate (Amat Cama and Richard Zhu) used a heap overflow bug in the Samsung Galaxy S9 to earn themselves $50,000 in prize money. The vulnerability attacks the baseband component of the Galaxy S9 to earn code execution.
“Baseband attacks are especially concerning, since someone can choose not join a Wi-Fi network, but they have no such control when connecting to baseband,” wrote event organizer Zero Day Initiative in a blog post.
Next up, a team from MWR Labs (Georgi Geshev, Fabi Beterke and Rob Miller) took down the Xiaomi Mi6 handset by chaining together five different bugs, earning them $30,000. When the Xiaomi Mi6 phone connected to a hacker controlled Wi-Fi server, the team was able to force the phone’s default web browser to navigate to a malicious website.
“They then chained additional bugs together to silently install an application via JavaScript, bypass the application white-list and automatically start the [rogue] application,” ZDI wrote.
iPhone X also fell to team Fluoroacetate, which targeted the handset over Wi-Fi. Hackers chained a just-in-time (JIT) vulnerability in the phone’s browser with an out-of-bounds write for a sandbox escape and a privilege-escalation vulnerability. The combination earned the team $60,000 in prize money.
Fluoroacetate was the most winning team overall, logging five out of six successful demonstrations against the Galaxy S9, iPhone and the Mi6. On the team’s last attempt, a baseband exploit against the iPhone X, they ran out of luck and couldn’t get an exploit to work within the time allotted. Still, the team earned $215,000 in prizes overall, and earned the contest’s biggest honor, the title of “Master of Pwn.”
Individual vulnerability details will be available in 90 days, per the contest’s protocol, which includes vendor notification and OEM patch deployments.
(Images courtesy of ZDI)