During the first day of the Pwn2Own Tokyo 2018 contest, participants hacked Apple iPhone X, Samsung Galaxy S9 and Xiaomi Mi 6 devices earning more than $225,000.
The novelty for this Pwn2Own edition was the creation of a specific session for IoT devices.
On the second day, the organizers only paid $100,000 for one iPhone and two Xiaomi hacks.
The day began with the success of the Team Fluoroacetate composed of Amat Cama and Richard Zhu, who hacked an iPhone X exploiting a Just-In-Time (JIT) bug and an out-of-bounds access flaw.
The team received $50,000 to have exfiltrate data from the device, they successfully stole a previously deleted photo from the targeted device.
They earned $25,000 USD and 6 Master of Pwn points.
LaterMWR Labs hacked the Xiaomi Mi6 in the browser category using a download bug along with a silent app installation to load their custom app and exfiltrate pictures.
They earned another $25,000 USD and 6 more Master of Pwn points.
The organizers reported the flaws to their respective vendors, they paid out a total of $325,000 for 18 zero-days, $110,000 was for iPhone X exploits.
The flaws could be used by a persistent attacker or a surveillance firm to compromise the target device via its browser or Wi-Fi, their value is much greater in the cybercrime underground.
“Overall, we awarded $325,000 USD total over the two day contest purchasing 18 0-day exploits. Onsite vendors have received the details of these bugs and now have 90 days to produce security patches to address the bugs we reported. Once these are made public, stay tuned to this blog for more details about some of the best and most interesting bugs we saw this week.” concludes the official page for the Pwn2Own Tokyo 2018.
(Security Affairs – Pwn2Own Tokyo 2018, hacking)