White Hat hackers at Pwn20wn 2018, a mobile hacking competition held in Tokyo last week, demonstrated that even the fully patched smartphones running the latest version of software from popular smartphone manufacturers can be hacked. This article will detail the event and what you can do to protect yourself.
Three major vendors – Apple, Samsung and Xiaomi – were amongst the companies that were exposed. Devices like the iPhone X, Samsung’s Galaxy S9, and Xiaomi Mi6, were among the devices that got successfully hacked at the event. The contest organised by one of our partners, Trend Micro, awarded the white hat hackers $325,000 for the successful hack.
Teams of hackers coming from all corners of the globe representing different cybersercurity companies disclosed a total of 18 zero-day vulnerabilities in mobile devices made by Apple, Samsung, and Xiaome, as well as crafted exploits that allowed them to completely take over the targeted devices and control/steal sensitive information.
Samsung Galaxy S9
The Fluoroacetate team successfully hacked into the Samsung Galaxy S9 by exploiting a memory heap overflow vulnerability in the phone’s baseband component and obtaining code execution. The team earned $50,000 in prize money for the issue.
“Baseband attacks are especially concerning since someone can choose not to join a Wi-Fi network, but they have no such control when connecting to baseband,” Zero Day Initiative wrote in a blog post (Day 1).
During this hack, another 3 vulnerabilities were discovered be the MWR team, who combined them to successfully exploit the Samsung Galaxy S9 over Wi-Fi by forcing the device to a captive portal without any user interaction.
The team then used a redirect and an unsafe application load in order to install their custom application on the target Samsung Galaxy S9 device. MWR Labs was rewarded $30,000 for their exploit.
Apple iPhone X
Fluoroacetate also discovered and managed to exploit a pair of flaws within the fully patched Apple iPhone X over Wi-Fi.
The team combined a just-in-time (JIT) flaw in the iOS web browser (safari) along with an out-of-bounds write a bug for the sandbox escape and escalation to exfiltrate data from the iPhone running iOS 12.1.
For their demonstration, Fluoroacetate chose to retrieve a photo that had recently been deleted from the target iPhone, which certainly came as a surprise to the person in the picture. The research earned them $50,000 in prize money. The team also attempted to exploit the baseband on the iPhone X, but could not get their exploit working in the time allowed.
The Fluoroacetate team did not stop at the Samsung and iPhone, the team also managed to successfully hack another major vendor in Xiaomi.
Using a touch-to-connect feature, the team were able to force the phone to open a web browser and navigate the user to an amazingly crafted webpage in which by that point the team were able to successfully exploit the phone. This vulnerability earned the Fluoroacetate team an additional $30,000 in prize money.
Other companies were also able to exploit other vulnerabilities including other flaws within the Samsung network however, Fluoroacetate win the ‘Master of Pwn’ title this year with their topping 45 Points by logging five out of six successful demonstrations of exploits against the iPhone X, Samsung Galaxy S9, and Xiaomi Mi6 earning a total of $215,000 in prize money.
Details of all the zero-day vulnerabilities discovered and exploited in the competition will be available in 90 days, as per the pwn2Own contest’s protocol, which includes notifying vendors and OEM patch deployments.
The vulnerabilities will remain open until the affected vendors issue security patches to address them which apple have released a new update this weekend.
Other Articles You May Enjoy: