Connect with us

Hacker News Zero Day

0 Day Exploits Found in iPhone X, Samsung Galaxy S9, Xiaomi Mi6 Phones

Hacker News Malware

Emotet Malware Makes a Comeback with Fresh Attacks After Three Months of Silence

Hacker News Vulnerability

Lazarus Group Found Exploiting Zero-Day Vulnerabilities in Latest Cyber Attack

Hacker News

Chinese hackers develop new custom backdoor to evade detection

Hacker News

Hackers are exploiting vulnerabilities in containerized environments

Hacker News

Play Ransomware Group Brags About Disruptive Attack on City of Oakland

Hacker News

Chinese State-Sponsored Hacking Group APT31 Targets European Organizations

Hacker News Vulnerability

Researchers Uncover New Security Vulnerabilities in TPM 2.0 Library

Data Breaches Hacker News

Dark Web Marketplace Bidencash Leaks 2 Million Stolen Credit Cards for Free

Hacker News

White Hat Hacking Does Pay: Pwn2Own Shells Out 980,000 in Rewards

Hacker News

0 Day Exploits Found in iPhone X, Samsung Galaxy S9, Xiaomi Mi6 Phones

Published

5 years ago

on

0 Day Exploits Found in iPhone X, Samsung Galaxy S9, Xiaomi Mi6 Phones

At the Pwn2Own competition as part of PacSec security conference held in Tokyo, iPhone X, Samsung Galaxy S9, and Xiaomi Mi6 were all exploited at the hands of top white hat hackers.

Day 1:

  • Hacking team Fluoroacetate managed to hack the Xiaomi Mi6 via the NFC component. They exploited the touch-to-connect feature, opening a web browser on the phone and went to a web page that used an out-of-bounds write vulnerability, leading to code execution. For this, they were awarded $30,000.
  • The same group then targets the Galaxy S9. They targeted the device with a heap overflow in the baseband component which is responsible for cellular radio. For this, they were awarded $50,000.
    Richard Zhu and Amat Cama (Team Fluoroacetate)

    Richard Zhu and Amat Cama (Team Fluoroacetate)

     

  • Next, they moved on to the iPhone X, staging a WiFi attack by exploiting a vulnerability in the web browser and an out-of-bounds write bug for the sandbox escape and escalation.
  • Hacker Michael Contreras was awarded $25,000 for a type confusion exploit in javascript which executed code on Xiaomi Mi6.

Day 2:

  • At the start of day 2, Fluoroacetate managed another 0-day exploit in the iPhone X (netting them $50,000), and the Xiaomi Mi6 (earning them $25,000).
  • Rob Miller, Georgi Geshev, and Fabi Beterke (MWR Labs)

    Rob Miller, Georgi Geshev, and Fabi Beterke (MWR Labs)

    MWR Labs managed to stage a silent app installation on the Xiaomi Mi6 and steal photos from the phone. This earned them ($25,000)

  • Fluoroacetate were declared the winners, earning a total of 45 points and $215,000 USD and the title “Master of Pwn”

We are sure this conference has provided some valuable information to the creators of the three flagship phones that were exploited. The white hat hackers managed to prove that there’s still a way to go to secure our devices from malicious attackers.

PWN2OWN TOKYO 2018 – DAY 2

PWN2OWN TOKYO 2018 – DAY 2

The full details of the vulnerabilities and exploits discovered will be made available, allowing vendors to patch deployments. At present these vulnerabilities remain present in the flagship phones, putting users at risk until patches are released.

 

Related Topics:

Experienced British technology journalist and online reporter

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *