According to Zero Day Initiative, of the organizers of the event — “Fluoroacetate” team (Amat Cama and Richard Zhu) was the first to exploit Xiaomi Mi 6 with the help of device NFC.
They used the touch-to-connect feature to force open up their specially crafted web page, on the device browser. Following which they leveraged an out-of-bounds write bug affecting WebAssembly to achieve code execution. The researchers earned $30,000 for this hack.
The same team was able to exploit Samsung Galaxy S9 which involved a heap overflow in the device’s baseband component. This hack fetched them a sum of $50,000. Fluoroacetate was also able to hack iPhone X via Wifi using a Just-In-Time (JIT) bug, and an out-of-bounds write flaw, which grabbed another $60,000.
Another team from UK-based MWR Labs took two attempts before finally hacking Xiaomi Mi 6 and Samsung Galaxy S9. The team used a code execution exploit via Wi-Fi that resulted in a photo getting exfiltrated from the targeted phone. ZDI says they chained a bunch of bugs to silently install an application via javascript. MWR Labs was rewarded $60,000 for hacking both the phones.
At the end of the first day, a researcher Michael Contreras received $25,000 for hacking the Xiaomi Mi 6 browser via JavaScript type confusion flaw.
This was only one day of the Pawn2Tokyo; more hacks will be coming soon enough. Last year, devices like Samsung Galaxy S8, Huawei Mate 9 Pro and iPhone 7 were hacked many times, for which hackers received a cash price of $500,000.
Post your Comment
