Security researchers competing in the Pwn2Own competition in Tokyo this week earned a collective $325,000 for demonstrating new exploits on devices made by Samsung, Xiaomi, and Apple.
Pwn2Own, a series of contests run by the Zero Day Initiative, brings security researchers to compete to expose the most vulnerabilities in popular software and devices. The competition in Tokyo on Tuesday and Wednesday focused on mobile devices.
Researchers showed off an array of different methods in which the devices could be compromised, according to blogs posted by the Zero Day Initiative. Among their conquests, a duo of hackers known as Fluoroacetate used near-field communication to force the Xiaomi Mi6 phone to a custom website. They then executed code on a Samsung Galaxy S9 using a baseband vulnerability, and successfully exfiltrated a deleted picture from an iPhone X.
A team of researchers from MWR Labs, division of F-Secure, used a string of different bugs to force the Xiaomi Mi6 and the Galaxy S9 to silently download an application over their Wi-Fi server, among other successful exploits.
Fluoroacetate ultimately earned $215,000, the most points, and took home the coveted “Master of Pwn” jackets.
— Zero Day Initiative (@thezdi) November 14, 2018
“We use research to push the boundaries of the cyber security industry, helping our clients predict, protect, detect and respond to modern cyber attacks,” said Ed Parsons managing director of MWR InfoSecurity, in a press release. “Pwn2Own is a great opportunity to develop and test ourselves while helping to secure technology many of us rely on. We’re very proud of the team’s latest win and their overall track record in the competition.”
The Zero Day Initiative said that the competition resulted in 18 zero-day exploits and that the vendors whose devices were compromised have been given 90 days to patch the newly uncovered bugs. This week’s event was the first Pwn2Own to include internet of things devices, although the researchers chose to focus on the mobile phones. A separate Pwn2Own contest in March focused on web browsers and saw the exploitation of 13 different bugs for a collective $267,000.