Skip to main content

iPhone, Samsung and Xiaomi can be Hacked.

Vulnerabilities found in iPhone X,  Samsung Galaxy S9 and Xiaomi Mi6 Smartphones.

At Pwn2Own 2018 mobile hacking competition held in Tokyo on November 13-14, white hat hackers once again demonstrated that even the fully patched smartphones running the latest version of software from popular smartphone manufacturers can be hacked.

Three major flagship smartphones—iPhone X, Samsung Galaxy S9, and Xiaomi Mi6—were among the devices that successfully got hacked at the annual mobile hacking contest organized by Trend Micro's Zero Day Initiative (ZDI), earning white hat hackers a total of $325,000 in reward.

Teams of hackers participated from different countries or representing different cybersecurity companies disclosed a total of 18 zero-day vulnerabilities in mobile devices made by Apple, Samsung, and Xiaomi, as well as crafted exploits that allowed them to completely take over the targeted devices.

Apple iPhone X Running iOS 12.1 — GOT HACKED!.

A team of two researchers, Richard Zhu and Amat Cama, who named themselves Fluoroacetate, discovered and managed to exploit a pair of vulnerabilities in a fully patched Apple iPhone X over Wi-Fi.

The duo combined a just-in-time (JIT) vulnerability in the iOS web browser (Safari) along with an out-of-bounds write bug for the sandbox escape and escalation to exfiltrate data from the iPhone running iOS 12.1.

For their demonstration, the pair chose to retrieve a photo that had recently been deleted from the target iPhone, which certainly came as a surprise to the person in the picture. The research earned them $50,000 in prize money.

Richard Zhu and Amat Cama (Team Fluoroacetate)Fluoroacetate team also attempted to exploit the baseband on the iPhone X, but could not get their exploit working in the time allotted.

Another team of researchers from UK-based MWR Labs (a division of F-Secure), which included Georgi Geshev, Fabi Beterke, and Rob Miller, also targeted the iPhone X in the browser category but failed to get their exploit running within the time allotted.

ZDI said it will acquire those vulnerabilities through its general ZDI program.

Samsung Galaxy S9 — Also, GOT HACKED!.

Besides iPhone X, Fluoroacetate team also hacked into the Samsung Galaxy S9 by exploiting a memory heap overflow vulnerability in the phone's baseband component and obtaining code execution. The team earned $50,000 in prize money for the issue.

"Baseband attacks are especially concerning since someone can choose not to join a Wi-Fi network, but they have no such control when connecting to baseband," Zero Day Initiative wrote in a blog post (Day 1).

Three more different vulnerabilities were discovered by the MWR team, who combined them to successfully exploit the Samsung Galaxy S9 over Wi-Fi by forcing the device to a captive portal without any user interaction.

Next, the team used an unsafe redirect and an unsafe application load in order to install their custom application on the target Samsung Galaxy S9 device. MWR Labs was rewarded $30,000 for their exploit.

Xiaomi Mi6 — Yes, This Too GOT HACKED!.

Fluoroacetate did not stop there. The team also managed to successfully exploit the Xiaomi Mi6 handset via NFC (near-field communications).

"Using the touch-to-connect feature, they forced the phone to open the web browser and navigate to their specially crafted webpage," ZDI said.

"During the demonstration, we didn't even realize that action was occurring until it was too late. In other words, a user would have no chance to prevent this action from happening in the real world."

The vulnerability earned the Fluoroacetate team $30,000 in prize money.

On Day 2 of the competition, the Fluoroacetate team also successfully utilized an integer overflow vulnerability in the JavaScript engine of the web browser of the Xiaomi Mi6 smartphone that allowed them to exfiltrate a picture from the device.

The bug earned them another $25,000.

Georgi Geshev, Fabi Beterke, and Rob Miller (MWR Labs)
MWR Labs also tried its hands on the Xiaomi Mi6 smartphone and combined five different bugs to silently install a custom application via JavaScript, bypass the application whitelist, and automatically launch the app.

To achieve their goal, the white hat hackers first forced the Xiaomi Mi6 phone's default web browser to navigate to a malicious website, when the phone connected to a Wi-Fi server controlled by them.

The combination of vulnerabilities earned the MWR team $30,000.

On Day 2, the MWR team combined a download flaw along with a silent app installation to load their custom application and exfiltrate some pictures from the phone. This earned them another $25,000.

A separate researcher, Michael Contreras, managed to exploit a JavaScript type confusion vulnerability to obtain code execution on the Xiaomi Mi6 handset. He earned himself $25,000.

Fluoroacetate Won 'Master of Pwn' Title This Year.

With the highest of 45 points and a total of $215,000 prize money, Fluoroacetate researchers Cama and Zhu earned the title 'Master of Pwn,' logging five out of six successful demonstrations of exploits against iPhone X, Galaxy S9, and Xiaomi Mi6.

Details of all the zero-day vulnerabilities discovered and exploited in the competition will be available in 90 days, as per the pwn2Own contest's protocol, which includes notifying vendors and OEM patch deployments.

The vulnerabilities will remain open until the affected vendors issue security patches to address them.

Comments

Popular posts from this blog

We Bring You Brief Series of Sanctions Against Uganda Government Officials.

📸: Gen Abel Kandiho. On 9-December-2021, USA slapped sanctions against the then CMI Commander Gen Abel Kandiho. 📸: Gen Kale Kayihura. On 9-December-2022, UK slapped sanctions against former Police Boss Gen Kale Kayihura. 📸: Commissioner General of Prisons, Johnson Byabashaija. Again on this 4-December-2023, the same USA has slapped sanctions against Uganda Prisons Commander Johnson Byabashaija over alleged torture and human rights abuses in Prisons across Uganda. We ask, has USA and UK made December as an LCM to slap sanctions against high ranking government officials in Uganda even when the sanctions just remain on paper without deeper investigations to ascertain logical conclusions or remedy to that effect ?. #iip_updates  #Information_is_Power  #we_inform_the_uninformed

How to Host a Website for Free From Your PC or Laptop.

Why pay for a web hosting service when your old computer can do the same thing? Learn how to self-host your site. If you're planning to launch a website but don't want to pay recurring monthly or annual hosting fees, you can use any old laptop or desktop PC to host a website for free. It's a great way to utilize your old system instead of throwing it away. In this guide, we will install and set up services on our 10-year-old laptop to host a WordPress, Joomla, or custom HTML or PHP-based website with a free SSL certificate. MAKEUSEOF VIDEO OF THE DAY Things You Will Need to Host a Website Following are the pre-requisites to host a website for free from home with just your computer: An old laptop or PC running Ubuntu Server. A registered domain name for your website Ethernet cable to connect the laptop or PC to router for reliable and fast connection Step 1: Update and Upgrade the Packages After  installing Ubuntu Server on your computer , execute the following c...

WHERE IS MINISTER OF SEX SIMON LOKODO?. (He deserves a battle of soda from me! Ministe`r esalanga mabee. He is quick to run after Mrs Dr Stella Nyanzi and other Opposition elements. Government aza aza edo zuu vaa kpere bua). Anyway, below is the article! POLICE OFFICER AKOL ESTHER CHARGED OF BEING A PUBLIC NUISANCE Naughty Officer Officer who embarrassed police after leaking nude photo charged 13.03.2018 She serves in the 'Very Important Persons Protection Unit'  Akol Esther  (Courtesy) A female police officer whose nude photo surfaced on social media has been charged of being a public nuisance. Akol Esther serves in the Very Important Persons Protection Unit (VIPPU) of the police force. Kampala Metropolitan Police spokesperson Luke Owoyesigire says Akol Esther might be demoted or expelled from the police force if found guilty of circulating nude photos. Police court is yet to announce date when Akol Esther is expected to appear for a hearing. This comes at a time when Pornography Control Committee is taking tough measures against persons circulating pornography content. The committee warned and promised to arrest persons who will circulate pornographic content.

POLICE OFFICER AKOL ESTHER CHARGED OF BEING A PUBLIC NUISANCE Naughty Officer Officer who embarrassed police after leaking nude photo charged 13.03.2018 She serves in the 'Very Important Persons Protection Unit' Akol Esther  (Courtesy) A female police officer whose nude photo surfaced on social media has been charged of being a public nuisance. Akol Esther serves in the Very Important Persons Protection Unit (VIPPU) of the police force. Kampala Metropolitan Police spokesperson Luke Owoyesigire says  Akol Esther might be demoted or expelled from the police force if found guilty of circulating nude photos . Police court is yet to announce date when Akol Esther is expected to appear for a hearing. This comes at a time when Pornography Control Committee is taking tough measures against persons circulating pornography content. The committee warned and promised to arrest persons who will circulate pornographic content.