No phone left standing after Pwn2Own mobile hacking blitz

Team Fluoroacetate crowned ‘Masters of Pwn’ in 2018 hacker challenge

Ethical hackers earned a combined total of $325,000 in bug bounties after successfully demonstrating 18 previously undisclosed (zero-day) vulnerabilities against various smartphones during a competition this week.

None of the smartphones – the latest Apple iPhone X, Samsung Galaxy S9 and Xiaomi Mi6 – emerged unscathed from the Pwn2Own hacking challenge in Tokyo, Japan.

The two-day contest, organised by TrendMicro’s Zero Day Initiative (ZDI), helped to unearth flaws in the WiFi and browser implementations on the target devices, among other flaws.

External commentators noted that Bluetooth exploits, a long-time staple of mobile phone exploitation, were absent from the roster of mobile attacks unveiled through the competition this year.

Team Fluoroacetate (Amat Cama and Richard Zhu) earned the bragging rights – along with the coveted ‘Master of Pwn’ title – after racking up a total of 45 points during the competition, making them the single most successful of the three groups who competed.

Five of their six attempted hacks worked during the allotted time period, with only an attempted baseband exploit against the Apple iPhone X running out of time and therefore getting chalked up as a failure.

Researchers from F-Secure’s MWR Labs competed in four different categories at the event, successfully demonstrating previously unpublished exploits for the Xiaomi Mi6 and Samsung Galaxy S9 smartphones.

Pwn2Own challenges researchers to push the envelope of security research and uncover flaws ahead of their discovery and exploitation by cyber-criminals or spies.

The competition is held twice a year, with one event focusing on desktops and another focusing on mobile devices. Internet of things devices were also included in the mobile edition of the competition.

Onsite vendors received details of bugs affecting their devices. They have each been given 90 days to produce security patches to address the reported security flaws before ZDI goes public with details of the vulnerabilities.