During the first day of the Pwn2Own Tokyo 2018 contest, participants hacked Apple iPhone X, Samsung Galaxy S9 and Xiaomi Mi 6 devices earning more than $225,000.
The novelty for this Pwn2Own edition was the creation of a specific session for IoT devices.
On the second day, the organizers only paid $100,000 for one iPhone and two Xiaomi hacks.
The day began with the success of the Team Fluoroacetate composed of Amat Cama and Richard Zhu, who hacked an iPhone X exploiting a Just-In-Time (JIT) bug and an out-of-bounds access flaw.
The team received $50,000 to have exfiltrate data from the device, they successfully stole a previously deleted photo from the targeted device.
They earned $25,000 USD and 6 Master of Pwn points.
LaterMWR Labs hacked the Xiaomi Mi6 in the browser category using a download bug along with a silent app installation to load their custom app and exfiltrate pictures.
They earned another $25,000 USD and 6 more Master of Pwn points.
The organizers reported the flaws to their respective vendors, they paid out a total of $325,000 for 18 zero-days, $110,000 was for iPhone X exploits.
The flaws could be used by a persistent attacker or a surveillance firm to compromise the target device via its browser or Wi-Fi, their value is much greater in the cybercrime underground.
“Overall, we awarded $325,000 USD total over the two day contest purchasing 18 0-day exploits. Onsite vendors have received the details of these bugs and now have 90 days to produce security patches to address the bugs we reported. Once these are made public, stay tuned to this blog for more details about some of the best and most interesting bugs we saw this week.” concludes the official page for the Pwn2Own Tokyo 2018.
(Security Affairs – Pwn2Own Tokyo 2018, hacking)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.