Skip to main content

iPhone, Samsung and Xiaomi can be Hacked.

Vulnerabilities found in iPhone X,  Samsung Galaxy S9 and Xiaomi Mi6 Smartphones.


At Pwn2Own 2018 mobile hacking competition held in Tokyo on November 13-14, white hat hackers once again demonstrated that even the fully patched smartphones running the latest version of software from popular smartphone manufacturers can be hacked.


Three major flagship smartphones—iPhone X, Samsung Galaxy S9, and Xiaomi Mi6—were among the devices that successfully got hacked at the annual mobile hacking contest organized by Trend Micro's Zero Day Initiative (ZDI), earning white hat hackers a total of $325,000 in reward.


Teams of hackers participated from different countries or representing different cybersecurity companies disclosed a total of 18 zero-day vulnerabilities in mobile devices made by Apple, Samsung, and Xiaomi, as well as crafted exploits that allowed them to completely take over the targeted devices.


Apple iPhone X Running iOS 12.1 — GOT HACKED!.


A team of two researchers, Richard Zhu and Amat Cama, who named themselves Fluoroacetate, discovered and managed to exploit a pair of vulnerabilities in a fully patched Apple iPhone X over Wi-Fi.


The duo combined a just-in-time (JIT) vulnerability in the iOS web browser (Safari) along with an out-of-bounds write bug for the sandbox escape and escalation to exfiltrate data from the iPhone running iOS 12.1.


For their demonstration, the pair chose to retrieve a photo that had recently been deleted from the target iPhone, which certainly came as a surprise to the person in the picture. The research earned them $50,000 in prize money.


Richard Zhu and Amat Cama (Team Fluoroacetate)Fluoroacetate team also attempted to exploit the baseband on the iPhone X, but could not get their exploit working in the time allotted.


Another team of researchers from UK-based MWR Labs (a division of F-Secure), which included Georgi Geshev, Fabi Beterke, and Rob Miller, also targeted the iPhone X in the browser category but failed to get their exploit running within the time allotted.


ZDI said it will acquire those vulnerabilities through its general ZDI program.


Samsung Galaxy S9 — Also, GOT HACKED!.


Besides iPhone X, Fluoroacetate team also hacked into the Samsung Galaxy S9 by exploiting a memory heap overflow vulnerability in the phone's baseband component and obtaining code execution. The team earned $50,000 in prize money for the issue.


"Baseband attacks are especially concerning since someone can choose not to join a Wi-Fi network, but they have no such control when connecting to baseband," Zero Day Initiative wrote in a blog post (Day 1).




Three more different vulnerabilities were discovered by the MWR team, who combined them to successfully exploit the Samsung Galaxy S9 over Wi-Fi by forcing the device to a captive portal without any user interaction.


Next, the team used an unsafe redirect and an unsafe application load in order to install their custom application on the target Samsung Galaxy S9 device. MWR Labs was rewarded $30,000 for their exploit.


Xiaomi Mi6 — Yes, This Too GOT HACKED!.


Fluoroacetate did not stop there. The team also managed to successfully exploit the Xiaomi Mi6 handset via NFC (near-field communications).


"Using the touch-to-connect feature, they forced the phone to open the web browser and navigate to their specially crafted webpage," ZDI said.


"During the demonstration, we didn't even realize that action was occurring until it was too late. In other words, a user would have no chance to prevent this action from happening in the real world."




The vulnerability earned the Fluoroacetate team $30,000 in prize money.


On Day 2 of the competition, the Fluoroacetate team also successfully utilized an integer overflow vulnerability in the JavaScript engine of the web browser of the Xiaomi Mi6 smartphone that allowed them to exfiltrate a picture from the device.


The bug earned them another $25,000.


Georgi Geshev, Fabi Beterke, and Rob Miller (MWR Labs)

MWR Labs also tried its hands on the Xiaomi Mi6 smartphone and combined five different bugs to silently install a custom application via JavaScript, bypass the application whitelist, and automatically launch the app.


To achieve their goal, the white hat hackers first forced the Xiaomi Mi6 phone's default web browser to navigate to a malicious website, when the phone connected to a Wi-Fi server controlled by them.


The combination of vulnerabilities earned the MWR team $30,000.


On Day 2, the MWR team combined a download flaw along with a silent app installation to load their custom application and exfiltrate some pictures from the phone. This earned them another $25,000.


A separate researcher, Michael Contreras, managed to exploit a JavaScript type confusion vulnerability to obtain code execution on the Xiaomi Mi6 handset. He earned himself $25,000.


Fluoroacetate Won 'Master of Pwn' Title This Year.


With the highest of 45 points and a total of $215,000 prize money, Fluoroacetate researchers Cama and Zhu earned the title 'Master of Pwn,' logging five out of six successful demonstrations of exploits against iPhone X, Galaxy S9, and Xiaomi Mi6.


Details of all the zero-day vulnerabilities discovered and exploited in the competition will be available in 90 days, as per the pwn2Own contest's protocol, which includes notifying vendors and OEM patch deployments.


The vulnerabilities will remain open until the affected vendors issue security patches to address them.


Comments

Post a Comment

Popular posts from this blog

More Than 100 Angry Youths Chased Maracha District Officials Out of Site Meeting Over Corruption.

📸: Some of the angry Youths displaying placards as others walked in to stop the ongoing meeting by Maracha District officials. Story by Osuta Yusuf. Maracha District. 3-February-2025. 📸: Kololo Public Seed Secondary School whose construction project has again stalled. Photo by Osuta Yusuf, Our News Reporter. The angry youths from Vurra Parish, Tara Sub-county in Maracha East constituency, Maracha District have on Monday 3-Feb-2025 chased the entire Maracha District officials out of a site meeting in Kololo Seed Secondary over allegations of corruption stemming from the stalled seed school construction project. Key Maracha District officials who went for the site meeting on Monday 3-Feb-2025 include, the Security department headed by the deputy RDC Koliba Monica Kotevu and Assistant RDC Collins Dramani, the LC5 Chairperson Hon Obitre Stephen together with his DEC Councilors, the accounting  / technical department headed by the CAO Mr Olila Patrick, the Engi...
Post a Comment
Read more

Ambassador Angualia Richard Perished in a Fatal Accident.

Story by Osuta Yusuf. Arua City. 29-7-2025. 📸: Portrait of Ambassador Angualia Richard. Courtesy Photo. Former Uganda's Ambassador to Egypt, Ambassador Angualia Louis Richard has been reported dead this evening 5pm 28-7-2025 after he was involved in a head-on collision accident with another motorcycle rider near Abi Farm, Ayivu East Constituency in Arua City. 📸: Photos from the scene of the Accident. Courtesy Photos. He met his death this evening while riding on a Bajaj Motorcycle. Amb. Angualia, who contested in 2011 for Maracha County but lost to Hon Alex Onzima Adrooa. In 2016 when two Constituencies were created in Maracha District, carving Maracha Constituency and Maracha East constituency, Ambassador Angualia contested for Maracha Constituency MP position in 2016 but lost to Hon Oguzu Lee Denis. Ambassador Angualia later shifted to contest in Maracha East Constituency but again lost to Hon Ruth Lematia Molly Ondoru during the 4-September-2020...
1 comment
Read more

Lab Student Drowned, Body Missing in Rokoze Lake in Nyadri Sub-county, Maracha District.

Maracha District.  5-December-2025. 📸: Residents gathered around the lake as they searched the missing body of the student. Photo by #Information_is_Power's news reporter.  This afternoon Friday 5-December-2025, a student from St Joseph Laboratory Training School in Maracha hospital, a one  Araku Denis drowned in Rokoze water body in Nyadri Sub-county and the  body has not been retrieved upto this night as the police and residents searched for it and in vain but they are expected to resume retrieving it tomorrow Saturday 6-December-2025. 📸: Photo of the deceased which we captured on his phone screen this night. Araku and his fellow students had  reportedly gone to pass time at water point after completing exams papers of today. Him and callagues got attracted to swimming at water body where he perished.  By press time, efforts to retrieve his body proved futile as the body remains invisible on water surface.  Rokoze water body...
Post a Comment
Read more