Sponsors paid over $100k USD for iPhone X exploits
The ethical hacking event Pwn2Own 2018, conducted in Tokyo, organized by Zero Day Initiative was a success, as reported by specialists in digital forensics from the International Institute of Cyber Security. During the event, participating cybersecurity specialists earned more than $300k USD for disclosing flaws that affected various smartphone models from several manufacturers.
During the first day of the event Pwn2Own Tokyo 2018, the participants, experts on cybersecurity and digital forensics, hacked Apple’s iPhone X devices, Samsung’s Galaxy S9 and Xiaomi’s Mi 6, generating revenues of more than $225k USD.
The novelty of this edition of Pwn2Own was the implementation of a specific hacking session for Internet of Things (IoT) devices.
The second day, the organizers delivered rewards of $100k USD for one iPhone and two Xiaomi hacks.
The day began with the triumph of the team Fluoroacetato composed by experts in information security and digital forensics Amat Cama and Richard Zhu, who hacked an iPhone X exploiting a Just-In-Time (JIT) vulnerability and an out of bonds flaw. Specialists received $50k USD for leaking device information, successfully extracting a previously deleted photo from the hacked device.
In another test, the Fluoroacetate team failed in their attempt to demonstrate a base-band exploit directed against iPhone X devices in time, but the experts successfully exploited an overflow of integers in the web browser’s JavaScript engine Xiaomi to leak an image stored in the phone, earning $25k USD.
Researchers Georgi Geshev, Fabi Beterke and Rob Miller of the LaterMWR Labs team also failed in their attempt to hack an iPhone X in the browser category, as they were unable to use their exploit chain within the time the test allowed them.
Later, this team hacked the Xiaomi Mi6 in the browser category using a download error along with a stealth app installation to load their custom application and leak the images of the device, thanks to this the team won $25k USD.
The organizers reported the vulnerabilities found to the respective vendors, who paid a total of $325k USD for 18 zero-day vulnerabilities, of which $110k USD were paid for vulnerability reports on iPhone X.
These security bugs could have been exploited by a persistent attacker or a surveillance company to compromise a device through the browser or Wi-Fi feature. This type of vulnerability can reach much higher prices in the cybercrime community.
“Overall, we grant a total of $325k USD during the two days of the event, buying 18 zero-day exploits. Manufacturers and developers received reports of these errors and now have 90 days to launch security patches to address these vulnerabilities. Once the updates are published, the user must remain attentive to their implementation”, is mentioned on the official website of Pwn2Own Tokyo 2018.
Working as a cyber security solutions architect, Alisa focuses on application and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.