Pwn2Own 2018: A Showcase of Mobile Vulnerabilities
The Pwn2Own 2018 mobile hacking competition, held in Tokyo on November 13-14, demonstrated the ongoing vulnerability of even well-secured smartphones. White hat hackers successfully exploited fully patched devices, including flagship models from renowned manufacturers, revealing concerning security gaps.
Key targets included the iPhone X, Samsung Galaxy S9, and Xiaomi Mi6, each of which was compromised by teams of ethical hackers, collectively earning a staggering $325,000 in rewards. In total, participants disclosed 18 zero-day vulnerabilities across these mobile platforms, significantly underscoring the ongoing challenges in mobile cybersecurity.
Notably, researchers Richard Zhu and Amat Cama, operating under the team name Fluoroacetate, took center stage by exploiting two vulnerabilities in a fully updated iPhone X over Wi-Fi. They demonstrated their skill by retrieving a recently deleted photo from the device, showcasing the potential for data exfiltration even in supposedly secure environments. This successful breach earned them a prize of $50,000.
The team also targeted the Galaxy S9, where they utilized a memory heap overflow vulnerability in the phone’s baseband component to gain code execution. The ZDI noted the seriousness of baseband attacks, indicating that users often lack the ability to control these connections compared to Wi-Fi networks. Fluoroacetate’s work on the S9 also netted them another $50,000 in rewards.
Moreover, the competition revealed additional advancements in hacking techniques. A separate group from MWR Labs, which included researchers Georgi Geshev, Fabi Beterke, and Rob Miller, successfully combined multiple vulnerabilities to exploit the S9 via Wi-Fi, leading to the installation of unauthorized software on the device without user interaction. This exploitation earned them $30,000.
Fluoroacetate’s success did not stop there; they also compromised the Xiaomi Mi6 through a near-field communication (NFC) attack. By manipulating the touch-to-connect feature, they forced the phone to navigate to a malicious webpage, illustrating how easily user actions can be manipulated once initial access is achieved. This exploit was rewarded with an additional $30,000, highlighting the ongoing threats available through NFC technologies.
On the second day of the contest, Fluoroacetate further capitalized on an integer overflow vulnerability within the Xiaomi’s JavaScript engine, managing to exfiltrate another image from the device, which garnered them an additional $25,000. Meanwhile, MWR Labs also utilized a combination of vulnerabilities to install a malicious application on the Mi6, further demonstrating the extensive security challenges within these devices.
The successful demonstrations at Pwn2Own raise significant concerns regarding the effectiveness of current mobile security frameworks. The vulnerabilities exploited during the competition could align with various tactics outlined in the MITRE ATT&CK framework. This includes methods associated with initial access, privilege escalation, and even defense evasion, which reflect the multi-faceted nature of the threats faced by mobile devices.
As ethical hacking competitions continue to expose vulnerabilities in high-profile technology, organizations must remain vigilant in updating their security measures and scrutinizing potential weaknesses in their systems. The findings from this year’s Pwn2Own serve as a crucial reminder of the state of mobile security and the sophistication of adversaries operating in this space.
The full details of the vulnerabilities disclosed will remain under wraps for 90 days, during which vendors will be notified and tasked with deploying necessary security patches. Awareness and timely action are crucial as companies navigate the evolving landscape of cybersecurity threats, particularly in mobile technology where user assumptions of safety can often be misguided.