iPhone X, Samsung Galaxy S9, Xiaomi Mi 6 Hacked At Pwn2Own Tokyo

Pwn2Tokyo, the annual hacking contest has wrapped up its first day and last year flagship devices like Samsung Galaxy S9, iPhone X and Xiaomi Mi 6 have already been hacked, earning hackers a bounty of more than half a million dollars.

According to Zero Day Initiative, of the organizers of the event —  “Fluoroacetate” team (Amat Cama and Richard Zhu) was the first to exploit Xiaomi Mi 6 with the help of device NFC.

They used the touch-to-connect feature to force open up their specially crafted web page, on the device browser. Following which they leveraged an out-of-bounds write bug affecting WebAssembly to achieve code execution. The researchers earned $30,000 for this hack.

The same team was able to exploit Samsung Galaxy S9 which involved a heap overflow in the device’s baseband component. This hack fetched them a sum of $50,000. Fluoroacetate was also able to hack iPhone X via Wifi using a Just-In-Time (JIT) bug, and an out-of-bounds write flaw, which grabbed another $60,000.

Another team from UK-based MWR Labs took two attempts before finally hacking Xiaomi Mi 6 and Samsung Galaxy S9. The team used a code execution exploit via Wi-Fi that resulted in a photo getting exfiltrated from the targeted phone. ZDI says they chained a bunch of bugs to silently install an application via javascript. MWR Labs was rewarded $60,000 for hacking both the phones.

At the end of the first day, a researcher Michael Contreras received $25,000 for hacking the Xiaomi Mi 6 browser via JavaScript type confusion flaw.

This was only one day of the Pawn2Tokyo; more hacks will be coming soon enough. Last year, devices like Samsung Galaxy S8, Huawei Mate 9 Pro and iPhone 7 were hacked many times, for which hackers received a cash price of $500,000.

Also Read: User Profiles On Dating Apps Like Tinder Are Being Auctioned For Millions