Sponsors paid over $100k USD for iPhone X exploits
The ethical hacking event Pwn2Own 2018, conducted in Tokyo, organized by Zero Day Initiative was a success, as reported by specialists in digital forensics from the International Institute of Cyber Security. During the event, participating cybersecurity specialists earned more than $300k USD for disclosing flaws that affected various smartphone models from several manufacturers.
During the first day of the event Pwn2Own Tokyo 2018, the participants, experts on cybersecurity and digital forensics, hacked Apple’s iPhone X devices, Samsung’s Galaxy S9 and Xiaomi’s Mi 6, generating revenues of more than $225k USD.
The novelty of this edition of Pwn2Own was the implementation of a specific hacking session for Internet of Things (IoT) devices.
The second day, the organizers delivered rewards of $100k USD for one iPhone and two Xiaomi hacks.
The day began with the triumph of the team Fluoroacetato composed by experts in information security and digital forensics Amat Cama and Richard Zhu, who hacked an iPhone X exploiting a Just-In-Time (JIT) vulnerability and an out of bonds flaw. Specialists received $50k USD for leaking device information, successfully extracting a previously deleted photo from the hacked device.
Researchers Georgi Geshev, Fabi Beterke and Rob Miller of the LaterMWR Labs team also failed in their attempt to hack an iPhone X in the browser category, as they were unable to use their exploit chain within the time the test allowed them.
Later, this team hacked the Xiaomi Mi6 in the browser category using a download error along with a stealth app installation to load their custom application and leak the images of the device, thanks to this the team won $25k USD.
The organizers reported the vulnerabilities found to the respective vendors, who paid a total of $325k USD for 18 zero-day vulnerabilities, of which $110k USD were paid for vulnerability reports on iPhone X.
These security bugs could have been exploited by a persistent attacker or a surveillance company to compromise a device through the browser or Wi-Fi feature. This type of vulnerability can reach much higher prices in the cybercrime community.
“Overall, we grant a total of $325k USD during the two days of the event, buying 18 zero-day exploits. Manufacturers and developers received reports of these errors and now have 90 days to launch security patches to address these vulnerabilities. Once the updates are published, the user must remain attentive to their implementation”, is mentioned on the official website of Pwn2Own Tokyo 2018.