iPhone X, Samsung Galaxy S9, and Xiaomi Mi6 all fell at the hands of hackers that found bugs in various components and crafted exploits that allowed complete take over of the targeted device.

All this happened at the PacSec security conference in Tokyo, during the Pwn2Own competition, organized by Trend Micro's Zero Day Initiative (ZDI) program. ZDI has more than half a million dollars in cash for prizes and has paid $325,000 for 18 valid vulnerabilities.

One team takes down three handsets on Day 1

At the beginning of day one, Amat Cama and Richard Zhu of team Fluoroacetate hacked the Xiaomi Mi6 via the NFX component.

The duo used the touch-to-connect feature to open the web browser on the device and navigate to a web page that exploited an out-of-bounds write vulnerability in WebAssembly and led to code execution

This sealed the state of the handset, pwned, and earned team Fluoroacetate its first $30,000.

"During the demonstration, we didn’t even realize that action was occurring until it was too late. In other words, a user would have no chance to prevent this action from happening in the real world," ZDI reports in a blog post.

Fluoroacetate did not stop here, though. They targeted Samsung Galaxy S9 and earned another $50,000 with a heap overflow in the baseband component, responsible for cellular radio on the phone. This is an impressive feat considering the sensitivity of the component and that the user cannot control the connections.

Amat Cama (sitting) and Richard Zhu (white shirt) of the Fluoroacetate team

iPhone X also proved defenseless in front of an attack over WiFi, as Fluoroacetate resorted to a JIT vulnerability in the web browser and an out-of-bounds write bug for the sandbox escape and escalation.

With this demonstration, the team received another $60,000, rounding their earnings for the day to $140,000.

Team MWR Labs (Georgi Geshev, Fabi Beterke, and Rob Miller) was also able to hack Xiaomi's device. The trio forced default web browser to load a portal page when the phone connected to their WiFi server.

By exploiting multiple security bugs they used JavaScript to install a web app, bypass the application whitelist, and launch it automatically and end the game.

To achieve their goal, the three hackers chained together five different bugs. This earned them $30,000.

Part of the MWR Labs team

MWR Labs took aim at Samsung Galaxy S9, too, and pwned it over WiFi by forcing it to a captive portal with no interaction from the user; next, they installed a special application leveraging an unsafe redirect and an unsafe application load. Success came at the second attempt, bringing them another $30,000.

$25,000 went to Michael Contreras, who exploited a type confusion in JavaScript to obtain code execution on Xiaomi Mi6.

Other handsets in the contest are Google Pixel 2 and Huawei P20.

Day 2 brings an additional $100,000 in payouts and winner revealed

Day 2 began with Fluoroacetate popping off 1 more 0-day in iPhone X and one for the Xiaomi Mi6.

Their first iPhone X 0-day combined a JIT bug in the browser along with an out-of-bounds access to exfiltrate a deleted image from the phone. This netted them a $50,000 prize. 

Fluoroacetate JIT Vuln

Fluoroacetate also utilized a integer overflow vulnerability that allowed them exfiltrate a picture from a Xiaomi Mi6 phone. This earned them an additional $25,000.

The last successful entry was from MWR Labs where they targeted the browser on the Xiaomi Mi6. Combining a download bug along with a silent app installation, they were able to load a custom application and steal some pictures from the phone. This earned them $25,000.

MWR Labs

Ultimately, with a total of 45 points and $215,000 USD in prizes, Team Fluoroacetate won the title of Master of Pwn!


Congratulations to all involved!

Related Articles:

iSH - An iOS Linux Shell for Your iPhone or iPad

Rotexy Mobile Trojan Launches 70k+ Attacks in Three Months

Flaws in Popular SSD Drives Bypass Hardware Disk Encryption

Method to View Contact Info on a Locked iOS 12.1 Device Disclosed