Security Experts:

Connect with us

Hi, what are you looking for?


Mobile & Wireless

iPhone X Exploits Earn Hackers Over $100,000

The Zero Day Initiative’s Pwn2Own Tokyo hacking competition has come to an end, with participants earning over $300,000 for disclosing vulnerabilities affecting iPhone X, Xiaomi Mi 6 and Samsung Galaxy S9 smartphones.

The Zero Day Initiative’s Pwn2Own Tokyo hacking competition has come to an end, with participants earning over $300,000 for disclosing vulnerabilities affecting iPhone X, Xiaomi Mi 6 and Samsung Galaxy S9 smartphones.

After on the first day participants received $225,000 for demonstrating zero-day exploit chains against the iPhone X, Samsung Galaxy S9 and Xiaomi Mi 6, on the second day only $100,000 was paid out by organizers for one iPhone and two Xiaomi hacks.

Team Fluoroacetate, made up of Amat Cama and Richard Zhu, started the day by hacking an iPhone X using a Just-In-Time (JIT) bug and an out-of-bounds access flaw. The vulnerabilities allowed them to exfiltrate data from the device, which earned them $50,000. During their demo, the researchers showed how they could steal a previously deleted photo from the targeted device.

The same team also attempted to demonstrate a baseband exploit targeting the iPhone X, which would have been a first, but they failed to get their exploit chain to work within the allotted time.

F-Secure’s MWR Labs team also failed to hack the iPhone – the team targeted the browser – but they did show some interesting vulnerabilities that were purchased by ZDI through its standard program.

Both the MWR Labs and the Fluoroacetate teams managed to hack the Xiaomi Mi 6 browser, each exploit chain earning them $25,000.Pwn2Own Tokyo 2018 winners

Team Fluoroacetate received the highest number of Master of Pwn points, which earned them 65,000 ZDI reward points worth roughly $25,000.

All vulnerabilities have been reported to their respective vendors and they will likely be patched in the upcoming days or weeks.

Of the total of $325,000 paid out at Pwn2Own Tokyo for 18 zero-days, $110,000 was for iPhone X exploits. These are serious vulnerabilities that can allow malicious actors to take control of a phone via its browser or Wi-Fi.

While rewards at Pwn2Own are usually significantly higher than in regular bug bounty programs, many industry professionals will likely still argue that such vulnerabilities are worth much more on the black and grey markets. For example, exploit acquisition firm Zerodium offers up to $100,000 for a WiFi-based remote code execution and local privilege escalation exploit on Apple’s iOS. A remote jailbreak with persistence is worth as much as $1.5 million for the company.

This was the first Pwn2Own competition that covered IoT devices, but no one has attempted such hacks. Other devices not targeted this year are the Huawei P20 and the Google Pixel 2.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.