IPhone X, Samsung Galaxy S9, Xiaomi Mi 6 Hacked at Pwn20wn Tokyo 2018

Leave a Comment / Apple, Cyber Security, Ethical Hacking, Tech, Vulnerabilities / By

IPhone x Samsung Galaxy S9 Xiaomi MI 6 Hacked at pwn20wn tokyo

IPhone x, Samsung Galaxy S9, Xiaomi MI 6, Hacked at pwn20wn Tokyo 2018 Event

T

he Annual Hacking contest which goes by the name of Pwn20wn which was held at the PacSec Security conference in Tokyo, which hackers showcase their skills by successfully exploiting the iPhone X Samsung Galaxy s9, Xiaomi Mi6, Google Pixel 2, Huawei P20 and other handset devices were also exploited.

 

Day 1 at the Pwn20wn Event in Tokyo 2018.

At the start of Pwn20wn in Tokyo 2018, the Xiaomi Mi 6 was the first device to get hacked by the Fluoroacetate team that was successfully done by Amat Cama and Richard Zhu using Xiaomi Mi 6 NFC component.


The exploitation of the Xiaomi Mi 6 was a success because of its touch-to-connect feature in which Amat Cama And Richards Zhu force-open the web browser on the device and then visited their specially crafted Web page which exploited an Out-of-Bounds write in Web Assembly to get code execution on the device. This hack earned them $30,000 USD and 6 Masters of Pwn Points.

” During the demonstration, we didn’t even realize that action was occurring until it was too late, in the other words, a user would have no chance of preventing this action from happening in the real world.”  – ZDI Reported in a blog post

 

The Fluoroacetate team didn’t stop there, they later went on exploiting the recently released Samsung Galaxy S9, using a heap overflow method within the baseband component to get codes to be executed on the device the performance of this hack earns them another 50,000 USD and 15 Pwn Master Points.


Stop don’t think the fluoroacetate has finished as yet, or Apple iPhone would escape the team, the team went on on hacking  iPhone X via Wi-Fi using  a pair of bugs – A JIT (Just-In-Time) vulnerability in the web browser followed by an OOB (Out-Of-Bound) write for the sandbox escape and escalation, this hack adds another 60,000 USD and 10 additional Master of Pwn points for this hacking team.

The Fluoroacetate wasn’t the only team that successfully hacked the Xiaomi 6 and the Samsung Galaxy S9. The Hacking team used a Heap overflow method within the baseband component to get codes to be executed on the device, this Hacking method earn them another 50,000 USD and 15 more points towards the Master of Pwn.


The Fluoroacetate didn’t stop there and all apple product wasn’t secure, in which they move on to hack the Apple iPhone X via Wi-Fi using a  pair of bugs – a JIT ( Just In Time) Vulnerability when the web browser followed by an OOB (Out-Of-Bounds) write for the sandbox escape and escalation. The hack earns the team another 10 Master of Pwn Points and an additional $60,000 USD.

 

The Hacking team from UK MWR Labs also targeted the Xiaomi 6 And The Samsung Galaxy S9 and successfully exploit these devices, the MWR Labs team members are (Georgi Geshev, Fabi Betere, and Rob Miller)

The MWR Labs Team Successfully exploits the Samsung Galaxy S9 with the combination of Three (3)  different bugs  over Wi-Fi, The force the phone to a captive portal without user interaction, then  redirect to an unsafe URL and then install their custom application, Although the first attempt was unsuccessful  but the second was a nutcracker  which earned the MWR Labs team $30,000 USD and  6 points towards the Master of Pwn points.

MWR Labs hacked the Xiaomi 6  with code execution over Wi-Fi in which force the default browser of the device to navigate to a portal page. In which the compile additional bugs together to silently install an application via javascript,  which bypasses the application whitelist and automatically starts the application. This hack earned the team $30,000 USD and 6 more masters Pwn points.


Michael Contreras a researcher who received $25,000 USD and 6 masters of Pwn points for also hacking the Xiaomi Mi 6 using confusion flaw a javascript based exploit.

You may Also Like:

WhatApp’s Status Feature will be Monetize.

—————————————————————————————————————————————–

Hacking Competition Witness Ubuntu Linux, Edge, Safari and Adobe Reader Exploited

Day 2 at the Pwn20wn Event in Tokyo 2018.

The Pwn20wn event started off with  Fluoroacetate team exploiting more Zero Day vulnerabilities in the iPhone X and Xiaomi Mi 6.

The first iPhone x Zero-Day combined a JIT bug within the web browser along with an out-of-bounds access which results in a deleted photo getting exfiltrated from the target device.  With this hack, they earn themselves an extra $50,000 USD.

The hacking of the Xiaomi Mi 6 by the fluoroacetate team used an integer overflow vulnerability which allows them to exfiltrate a picture from the device earning them another 25,000 USD.

MWR Labs were also successful with hacking the Xiaomi Mi6 on the second day as well with a loaded custom application by combining a download bug with a silent app installation and stole some pictures from the device. The hack earns them an additional  $25,000 USD.


The Fluoroacetate Team won the event with 45 points,  $215,000 USD and also walked away with the Master Of Pwn! Title.