Galaxy S9, iPhone X, Xiaomi Mi6 Devices Hacked at Pwn2Own Contest

Two teams of hackers managed to break into the iPhone X, Samsung Galaxy S9 and Xiaomi Mi6 mobile devices at the mobile Pwn2Own contest held in Tokyo this week by using multiple types of exploits—moves that earned them more than $300,000.

The first day of the contest started with a hack of the Xiaomi Mi6 over NFC, which fell into Pwn2Own’s Short Distance Exploit category.

A team named Fluoroacetate, made up of researchers Amat Cama and Richard Zhu, used the phone’s touch-to-connect NFC feature to open the web browser and navigate to a specially crafted webpage that exploited an out-of-bounds write in WebAssembly to get code execution on the phone. They were awarded $30,000.

Next was a team from MWR Labs, a subsidiary of F-Secure, which included researchers Georgi Geshev, Fabi Beterke and Rob Miller. They exploited the Xiaomi Mi6 over Wi-Fi by tricking the device to access a specially crafted captive portal page that launched an exploit chain combining five different bugs to install and run a rogue application on the device. They, too, were awarded $30,000.

Team Fluoroacetate then compromised the Samsung Galaxy S9 through a vulnerability in the baseband component, the modem firmware that handles mobile connections. Baseband exploits are highly valuable to attackers because they are almost impossible to detect and block, which is why the team earned $50,000 for their effort.

Also during the first day, MWR Labs went after the iPhone with a Wi-Fi based attack that combined a JIT vulnerability in the web browser and an out-of-bounds write to escape the iOS sandbox and escalate privileges. They were awarded $60,000, which is a small sum considering that there are exploit brokers willing to pay up to $1.5 million for an iOS exploit that doesn’t require user interaction.

The MWR Labs team also exploited the Samsung Galaxy S9 over Wi-Fi using a no-interaction captive portal technique that resulted in installation of a rogue application. Their exploit chain failed on first attempt, but succeeded on the second try, which earned them an additional $30,000.

Day two of the contest saw the teams return with exploits in the mobile browser category. The Fluoroacetate team combined two browser bugs to exfiltrate data from the iPhone X and then pulled off a similar attack on the Xiaomi Mi6. They were awarded $50,000 and $25,000, respectively.

MWR Labs also earned $25,000 after exploiting the Xiaomi Mi6 through the browser to silently install an app and exfiltrate pictures from the phone.

Both teams had failures as well. Fluoroacetate tried to exploit the iPhone X through the baseband, but couldn’t get their exploit to work in the allocated time. The same thing happened to team MWR Labs when they attempted to hack the iPhone X through the browser.

All of the exploits were shared with Trend Micro’s Zero Day Initiative (ZDI) arm, which organizes the Pwn2Own contest and will be reported to the affected vendors so they can be fixed.

Critical Vulnerability Patched in Another Popular WordPress Plug-in

A critical vulnerability was discovered in the AMP for WP plug-in, which allows WordPress administrators to make their content available as Accelerated Mobile Pages (AMP).

AMP is a publishing technology that optimizes web pages for mobile browsers and serves them from high-performance caches run by Google and other large content delivery networks. Estimates claim AMP pages load 75 percent faster and consume 10 times less data than their non-AMP counterparts.

AMP for WP is one of the most popular AMP-related plug-ins for WordPress, with more than 100,000 active installations on websites. It was removed from the official WordPress plug-in repository in October after a critical vulnerability was identified in its code and was reinstated this week after a patched version was released.

Users are advised to upgrade to AMP for WP version 0.9.97.20 or higher as soon as possible, as the vulnerability is publicly known.

The “vulnerabilities allow an unauthorized user to change any plugin option, including injecting custom HTML code on the main page,” security researcher Luka Šikić, said in a blog post that explains the issue in detail.

Lucian Constantin

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin