Once again, security researchers have demonstrated at a Pwn2Own event that fully patched mobile devices are at risk from zero-day vulnerabilities.
At Mobile Pwn2Own 2018, held in Tokyo Nov 13-14, sponsor Trend Micro’s Zero Day Initiative (ZDI) awarded a total of $325,000 to security researchers. Across the two-day event, researchers reported more than 16 new vulnerabilities, exposing risks in fully patched Apple iPhone, Samsung Galaxy S9 and Xiaomi Mi6 phones.
“We were surprised to see how popular the Xiaomi handset was, with five targets,” Dustin Childs, communications manager for ZDI, told eWEEK. “Another positive surprise was a full day of successes on Day 1. That’s a rarity for Pwn2Own.”
The Pwn2Own contest is held twice a year. The first event, held in March, focused on desktop systems, and the second event targeted mobile devices. For the desktop event, researchers were awarded a total of $267,000 for disclosing new flaws in Apple Safari, Mozilla Firefox, Microsoft Edge and Oracle VirtualBox. At the 2017 Mobile Pwn2Own, ZDI awarded researchers a total of $515,000 for disclosing 32 vulnerabilities.
The team known as Fluoroacetate, which included security researchers Amat Cama and Richard Zhu, ended up winning the overall event by demonstrating multiple vulnerabilities. The first bug demonstrated by the Fluoroacetate team was an NFC (near-field communications) issue in the Xiaomi Mi6 handset. That bug earned Fluoroacetate $30,000.
“Using the touch-to-connect feature, they forced the phone to open the web browser and navigate to their specially crafted webpage,” Childs blogged. “The webpage exploited an Out-Of-Bounds write in WebAssembly to get code execution on the phone.”
Fluoroacetate also exploited the Samsung Galaxy S9 via a vulnerability in the baseband component of the phone. ZDI awarded $50,000 for the baseband issue, which enabled a memory heap overflow.
Looking beyond Android, Fluoroacetate also took aim at a fully patched Apple iPhone X and was able to exploit a pair of bugs via WiFi. One vulnerability was in the iOS web browser, while the second issue was identified as an out-of-bounds write for the sandbox escape and escalation. ZDI awarded Fluoroacetate $60,000 for the attack. While the attack Fluoroacetate demonstrated was specifically against Apple’s iOS mobile operating system, given that there are some shared libraries with the macOS operating system, there potentially could be some risk for Apple’s desktop users as well.
“We have not tested it on macOS, but it wouldn’t be surprising to see collisions there,” Childs said.
On the second day of Mobile Pwn2Own, the Fluoroacetate team continued its assault on the iPhone X, demonstrating another pair of bugs that enabled them to exfiltrate data from the iPhone. The two flaws included a bug in the JIT compiler with out-of-bounds access, earning the team an additional $50,000.
Rounding out the Fluoroacetate team’s success was a flaw it discovered in the JavaScript engine of the Xiaomi web browser that was used by the researchers to exfiltrate a picture from the phone. That attack earned the researchers $25,000. Fluoroacetate, however, failed on its final attempt of the contest, where the team targeted the iPhone X in the baseband category.
While researchers made quick work of the mobile phones available for attack at Mobile Pwn2Own, no one made an attempt at the internet of things (IoT) devices that were also part of the contest.
IoT is a new category to the contest this year, with targets including the Apple Watch Series 3, Amazon Echo (2nd Generation), Google Home, Nest Cam IQ Indoor and the Amazon Cloud Cam Security Camera.
“We didn’t have anyone target the IoT category this year,” Childs said. “This is not surprising, as it often takes a year or two before we see attempts against new categories in Pwn2Own.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
