Skip to main content

iPhone, Samsung and Xiaomi can be Hacked.

Vulnerabilities found in iPhone X,  Samsung Galaxy S9 and Xiaomi Mi6 Smartphones.


At Pwn2Own 2018 mobile hacking competition held in Tokyo on November 13-14, white hat hackers once again demonstrated that even the fully patched smartphones running the latest version of software from popular smartphone manufacturers can be hacked.


Three major flagship smartphones—iPhone X, Samsung Galaxy S9, and Xiaomi Mi6—were among the devices that successfully got hacked at the annual mobile hacking contest organized by Trend Micro's Zero Day Initiative (ZDI), earning white hat hackers a total of $325,000 in reward.


Teams of hackers participated from different countries or representing different cybersecurity companies disclosed a total of 18 zero-day vulnerabilities in mobile devices made by Apple, Samsung, and Xiaomi, as well as crafted exploits that allowed them to completely take over the targeted devices.


Apple iPhone X Running iOS 12.1 — GOT HACKED!.


A team of two researchers, Richard Zhu and Amat Cama, who named themselves Fluoroacetate, discovered and managed to exploit a pair of vulnerabilities in a fully patched Apple iPhone X over Wi-Fi.


The duo combined a just-in-time (JIT) vulnerability in the iOS web browser (Safari) along with an out-of-bounds write bug for the sandbox escape and escalation to exfiltrate data from the iPhone running iOS 12.1.


For their demonstration, the pair chose to retrieve a photo that had recently been deleted from the target iPhone, which certainly came as a surprise to the person in the picture. The research earned them $50,000 in prize money.


Richard Zhu and Amat Cama (Team Fluoroacetate)Fluoroacetate team also attempted to exploit the baseband on the iPhone X, but could not get their exploit working in the time allotted.


Another team of researchers from UK-based MWR Labs (a division of F-Secure), which included Georgi Geshev, Fabi Beterke, and Rob Miller, also targeted the iPhone X in the browser category but failed to get their exploit running within the time allotted.


ZDI said it will acquire those vulnerabilities through its general ZDI program.


Samsung Galaxy S9 — Also, GOT HACKED!.


Besides iPhone X, Fluoroacetate team also hacked into the Samsung Galaxy S9 by exploiting a memory heap overflow vulnerability in the phone's baseband component and obtaining code execution. The team earned $50,000 in prize money for the issue.


"Baseband attacks are especially concerning since someone can choose not to join a Wi-Fi network, but they have no such control when connecting to baseband," Zero Day Initiative wrote in a blog post (Day 1).




Three more different vulnerabilities were discovered by the MWR team, who combined them to successfully exploit the Samsung Galaxy S9 over Wi-Fi by forcing the device to a captive portal without any user interaction.


Next, the team used an unsafe redirect and an unsafe application load in order to install their custom application on the target Samsung Galaxy S9 device. MWR Labs was rewarded $30,000 for their exploit.


Xiaomi Mi6 — Yes, This Too GOT HACKED!.


Fluoroacetate did not stop there. The team also managed to successfully exploit the Xiaomi Mi6 handset via NFC (near-field communications).


"Using the touch-to-connect feature, they forced the phone to open the web browser and navigate to their specially crafted webpage," ZDI said.


"During the demonstration, we didn't even realize that action was occurring until it was too late. In other words, a user would have no chance to prevent this action from happening in the real world."




The vulnerability earned the Fluoroacetate team $30,000 in prize money.


On Day 2 of the competition, the Fluoroacetate team also successfully utilized an integer overflow vulnerability in the JavaScript engine of the web browser of the Xiaomi Mi6 smartphone that allowed them to exfiltrate a picture from the device.


The bug earned them another $25,000.


Georgi Geshev, Fabi Beterke, and Rob Miller (MWR Labs)

MWR Labs also tried its hands on the Xiaomi Mi6 smartphone and combined five different bugs to silently install a custom application via JavaScript, bypass the application whitelist, and automatically launch the app.


To achieve their goal, the white hat hackers first forced the Xiaomi Mi6 phone's default web browser to navigate to a malicious website, when the phone connected to a Wi-Fi server controlled by them.


The combination of vulnerabilities earned the MWR team $30,000.


On Day 2, the MWR team combined a download flaw along with a silent app installation to load their custom application and exfiltrate some pictures from the phone. This earned them another $25,000.


A separate researcher, Michael Contreras, managed to exploit a JavaScript type confusion vulnerability to obtain code execution on the Xiaomi Mi6 handset. He earned himself $25,000.


Fluoroacetate Won 'Master of Pwn' Title This Year.


With the highest of 45 points and a total of $215,000 prize money, Fluoroacetate researchers Cama and Zhu earned the title 'Master of Pwn,' logging five out of six successful demonstrations of exploits against iPhone X, Galaxy S9, and Xiaomi Mi6.


Details of all the zero-day vulnerabilities discovered and exploited in the competition will be available in 90 days, as per the pwn2Own contest's protocol, which includes notifying vendors and OEM patch deployments.


The vulnerabilities will remain open until the affected vendors issue security patches to address them.


Comments

Popular posts from this blog

Escaped Murder Suspect Finally Arrested in Yumbe Regional Referral Hospital, Yumbe District.

Story by Osuta Yusuf. 19-November-2024. 📸: Eyotre Kennedy handcuffed on bed while receiving medication this morning at Yumbe Regional Referral Hospital in Yumbe District. Eyotre Kennedy originating from Etoko village, Nyoroo Parish, Nyadri Sub-county in Maracha District who has for many years been terrorizing residents in his village, has finally been arrested this Monday morning 19-November-2024 while receiving treatment at Yumbe Regional Referral Hospital in Yumbe District following injuries he sustained from Theft mission on Saturday night 16-November-2024 in Owapi village, Azapi parish in Odupi Sub-county, Terego East Constituency in Terego District. Click here on the link  https://informationispowah.blogspot.com/2024/11/fugitive-who-chopped-3-people-killed.html   to read the story on his Theft of Goats in Terego. Upon getting cut on the finger and leg by the Mob as he attempted to fight and overpower owner of the goats he attempted to steal on Saturday night ...

41-Years-Old Man Digs His Own Grave in Maracha District.

Story by Osuta Yusuf.  Maracha District.  📸: The grave been dug by Mr Opiga Michael, a victim of frustration. Photo taken by Osuta Yusuf , on Wednesday 11-September-2024. The residents of Ebapi village, Baria Parish in Nyadri Sub-county, Maracha east constituency, Maracha District are in shock after a 41 year old man started digging his own grave. The man, identified as Mr Opiga Michael, who seems to be frustrated over some challenges in life, started digging his own grave on Tuesday 10-September-2024 until he was stopped by the elders in Nyaria clan. 📸: Opiga Michael, the Victim of Frustration. Photo by Osuta Yusuf , Information is Power. While speaking to our reporter on Wednesday evening 11-September-2024, Mr Opiga Michael, said, his main plan  was to commit suicide after finishing digging the grave for burying himself, explained that, he feels frustrated, abandoned and hated by his own clan people, whom he accused of piling lies against him a...

Wedded Ayivu West MP Lematia John Fights Over Another Woman.

  📸: Hon Lematia John. By URN. Police in Arua district are investigating a case of assault and threatening violence involving the Member of Parliament for Ayivu West Constituency John Lematia and James Ariko, a DSTV technician in Arua city. Drama ensued on Easter Sunday 31-3-2024 at Dream Land Hotel located at Kuluva trading center along Arua-Nebbi highway in Arua district when the legislator and the technician engaged in a fight reportedly over a woman identified as Faith Eyotaru 25, a relationship officer at Victoria University Kampala. The scuffle started after Ayivu West Mp John Lematia went to swim at Dreamland Hotel with Faith Eyotaru only to find Ariko, who had gone to the same hotel earlier. However, upon seeing the duo coming out of the vehicle, Ariko confronted Lematia with both men claiming to be having a relationship with the lady. It took the intervention of the staff at the hotel who intervened and separated the fight between the men. Josephine Angucia, the West Nil...