Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity
    • Mobile

    Apple iPhone Hacked at Mobile Pwn2Own 2018

    By
    Sean Michael Kerner
    -
    November 14, 2018
    Share
    Facebook
    Twitter
    Linkedin
      Mobile Pwn2own 2017

      Once again, security researchers have demonstrated at a Pwn2Own event that fully patched mobile devices are at risk from zero-day vulnerabilities. 

      At Mobile Pwn2Own 2018, held in Tokyo Nov 13-14, sponsor Trend Micro’s Zero Day Initiative (ZDI) awarded a total of $325,000 to security researchers. Across the two-day event, researchers reported more than 16 new vulnerabilities, exposing risks in fully patched Apple iPhone, Samsung Galaxy S9 and Xiaomi Mi6 phones.

      “We were surprised to see how popular the Xiaomi handset was, with five targets,” Dustin Childs, communications manager for ZDI, told eWEEK. “Another positive surprise was a full day of successes on Day 1. That’s a rarity for Pwn2Own.”

      The Pwn2Own contest is held twice a year. The first event, held in March, focused on desktop systems, and the second event targeted mobile devices. For the desktop event, researchers were awarded a total  of $267,000 for disclosing new flaws in Apple Safari,  Mozilla Firefox, Microsoft Edge and Oracle VirtualBox. At the 2017 Mobile Pwn2Own, ZDI awarded researchers a total of $515,000 for disclosing 32 vulnerabilities.

      Vulnerabilities

      The team known as  Fluoroacetate, which included security researchers Amat Cama and Richard Zhu, ended up winning the overall event by demonstrating multiple vulnerabilities. The first bug demonstrated by the Fluoroacetate team was an NFC (near-field communications) issue in the Xiaomi Mi6 handset. That bug earned Fluoroacetate $30,000.

      “Using the touch-to-connect feature, they forced the phone to open the web browser and navigate to their specially crafted webpage,” Childs blogged. “The webpage exploited an Out-Of-Bounds write in WebAssembly to get code execution on the phone.” 

      Fluoroacetate also exploited the Samsung Galaxy S9 via a vulnerability in the baseband component of the phone. ZDI awarded $50,000 for the baseband issue, which enabled a memory heap overflow.

      Looking beyond Android, Fluoroacetate also took aim at a fully patched Apple iPhone X and was able to exploit a pair of bugs via WiFi. One vulnerability was in the iOS web browser, while the second issue was identified as an out-of-bounds write for the sandbox escape and escalation. ZDI awarded Fluoroacetate $60,000 for the attack. While the attack Fluoroacetate demonstrated was specifically against Apple’s iOS mobile operating system, given that there are some shared libraries with the macOS operating system, there potentially could be some risk for Apple’s desktop users as well.

      “We have not tested it on macOS, but it wouldn’t be surprising to see collisions there,” Childs said.

      On the second day of Mobile Pwn2Own, the Fluoroacetate team continued its assault on the iPhone X, demonstrating another pair of bugs that enabled them to exfiltrate data from the iPhone. The two flaws included a bug in the JIT compiler with out-of-bounds access, earning the team an additional $50,000.

      Rounding out the Fluoroacetate team’s success was a flaw it discovered in the JavaScript engine of the Xiaomi web browser that was used by the researchers to exfiltrate a picture from the phone. That attack earned the researchers $25,000. Fluoroacetate, however, failed on its final attempt of the contest, where the team targeted the iPhone X in the baseband category.

      IoT

      While researchers made quick work of the mobile phones available for attack at Mobile Pwn2Own, no one made an attempt at the internet of things (IoT) devices that were also part of the contest.

      IoT is a new category to the contest this year, with targets including the Apple Watch Series 3, Amazon Echo (2nd Generation), Google Home, Nest Cam IQ Indoor and the Amazon Cloud Cam Security Camera.

      “We didn’t have anyone target the IoT category this year,” Childs said. “This is not surprising, as it often takes a year or two before we see attempts against new categories in Pwn2Own.”

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      Sean Michael Kerner
      Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×