iPhone X, Samsung Galaxy S9, and Xiaomi Mi6 all fell at the hands of hackers that found bugs in various components and crafted exploits that allowed complete take over of the targeted device.
All this happened at the PacSec security conference in Tokyo, during the Pwn2Own competition, organized by Trend Micro's Zero Day Initiative (ZDI) program. ZDI has more than half a million dollars in cash for prizes and has paid $325,000 for 18 valid vulnerabilities.
The duo used the touch-to-connect feature to open the web browser on the device and navigate to a web page that exploited an out-of-bounds write vulnerability in WebAssembly and led to code execution
This sealed the state of the handset, pwned, and earned team Fluoroacetate its first $30,000.
"During the demonstration, we didn’t even realize that action was occurring until it was too late. In other words, a user would have no chance to prevent this action from happening in the real world," ZDI reports in a blog post.
Fluoroacetate did not stop here, though. They targeted Samsung Galaxy S9 and earned another $50,000 with a heap overflow in the baseband component, responsible for cellular radio on the phone. This is an impressive feat considering the sensitivity of the component and that the user cannot control the connections.
iPhone X also proved defenseless in front of an attack over WiFi, as Fluoroacetate resorted to a JIT vulnerability in the web browser and an out-of-bounds write bug for the sandbox escape and escalation.
With this demonstration, the team received another $60,000, rounding their earnings for the day to $140,000.
Team MWR Labs (Georgi Geshev, Fabi Beterke, and Rob Miller) was also able to hack Xiaomi's device. The trio forced default web browser to load a portal page when the phone connected to their WiFi server.
To achieve their goal, the three hackers chained together five different bugs. This earned them $30,000.
MWR Labs took aim at Samsung Galaxy S9, too, and pwned it over WiFi by forcing it to a captive portal with no interaction from the user; next, they installed a special application leveraging an unsafe redirect and an unsafe application load. Success came at the second attempt, bringing them another $30,000.
Other handsets in the contest are Google Pixel 2 and Huawei P20.
Day 2 began with Fluoroacetate popping off 1 more 0-day in iPhone X and one for the Xiaomi Mi6.
Their first iPhone X 0-day combined a JIT bug in the browser along with an out-of-bounds access to exfiltrate a deleted image from the phone. This netted them a $50,000 prize.
Fluoroacetate also utilized a integer overflow vulnerability that allowed them exfiltrate a picture from a Xiaomi Mi6 phone. This earned them an additional $25,000.
The last successful entry was from MWR Labs where they targeted the browser on the Xiaomi Mi6. Combining a download bug along with a silent app installation, they were able to load a custom application and steal some pictures from the phone. This earned them $25,000.
Ultimately, with a total of 45 points and $215,000 USD in prizes, Team Fluoroacetate won the title of Master of Pwn!
Congratulations to all involved!