Technology

Researchers earn thousands for exposing mobile device exploits at Pwn2Own

The competition exposed bugs in mobile devices made by Apple, Samsung and Xiaomi. Hackers went home with thousands of dollars and some sweet jackets.

By Zaid Shoorbajee

November 14, 2018

(Getty Images)

Security researchers competing in the Pwn2Own competition in Tokyo this week earned a collective $325,000 for demonstrating new exploits on devices made by Samsung, Xiaomi, and Apple.

Pwn2Own, a series of contests run by the Zero Day Initiative, brings security researchers to compete to expose the most vulnerabilities in popular software and devices. The competition in Tokyo on Tuesday and Wednesday focused on mobile devices.

Researchers showed off an array of different methods in which the devices could be compromised, according to blogs posted by the Zero Day Initiative. Among their conquests, a duo of hackers known as Fluoroacetate used near-field communication to force the Xiaomi Mi6 phone to a custom website. They then executed code on a Samsung Galaxy S9 using a baseband vulnerability, and successfully exfiltrated a deleted picture from an iPhone X.

A team of researchers from MWR Labs, division of F-Secure, used a string of different bugs to force the Xiaomi Mi6 and the Galaxy S9 to silently download an application over their Wi-Fi server, among other successful exploits.

Fluoroacetate ultimately earned $215,000, the most points, and took home the coveted “Master of Pwn” jackets.

That brings to an end #Pwn2Own Tokyo 2018! Congrats to team @fluoroacetate on earning 45 points and being crowned Master of Pwn! #P2OTokyo pic.twitter.com/5MVzayd5aF

— Zero Day Initiative (@thezdi) November 14, 2018

“We use research to push the boundaries of the cyber security industry, helping our clients predict, protect, detect and respond to modern cyber attacks,” said Ed Parsons managing director of MWR InfoSecurity, in a press release. “Pwn2Own is a great opportunity to develop and test ourselves while helping to secure technology many of us rely on. We’re very proud of the team’s latest win and their overall track record in the competition.”

The Zero Day Initiative said that the competition resulted in 18 zero-day exploits and that the vendors whose devices were compromised have been given 90 days to patch the newly uncovered bugs. This week’s event was the first Pwn2Own to include internet of things devices, although the researchers chose to focus on the mobile phones. A separate Pwn2Own contest in March focused on web browsers and saw the exploitation of 13 different bugs for a collective $267,000.

Researchers earn thousands for exposing mobile device exploits at Pwn2Own

More Like This

Democratic operative behind Biden AI robocall says lawsuit won’t ‘get anywhere’

House hurtles toward showdown over expiring surveillance tools

CISA ransomware warning program set to fully launch by end of 2024

Top Stories

FCC wants rules for ‘most important part of the internet you’ve probably never heard of’

Campaigns and political parties are in the crosshairs of election meddlers

More Scoops

Pwn2Own hackers go remote, then crack macOS and Oracle machines anyway

Pwn2Own hacking competition expands to industrial control systems

Tesla Model 3’s onboard browser attacked successfully at Pwn2Own

Mozilla Firefox, Microsoft Edge succumb in web browser competition at Pwn2Own

Apple, Oracle, VMware products successfully hacked at Pwn2Own

Tesla’s Model 3 is a big target at the next Pwn2Own

Hackers beat Firefox and Safari to earn $105K at Pwn2Own

Latest Podcasts

How Troy Hunt knows if you’ve been hacked and Washington tries to understand AI

Why pig butchering is the worst kind of online scam

How the FBI fights ransomware

Rumman Chowdhury on AI red-teaming; a Sisense supply chain attack

Government

Technology

Threats

Geopolitics