The Zero Day Initiative’s Pwn2Own Tokyo hacking competition has come to an end, with participants earning over $300,000 for disclosing vulnerabilities affecting iPhone X, Xiaomi Mi 6 and Samsung Galaxy S9 smartphones.
After on the first day participants received $225,000 for demonstrating zero-day exploit chains against the iPhone X, Samsung Galaxy S9 and Xiaomi Mi 6, on the second day only $100,000 was paid out by organizers for one iPhone and two Xiaomi hacks.
Team Fluoroacetate, made up of Amat Cama and Richard Zhu, started the day by hacking an iPhone X using a Just-In-Time (JIT) bug and an out-of-bounds access flaw. The vulnerabilities allowed them to exfiltrate data from the device, which earned them $50,000. During their demo, the researchers showed how they could steal a previously deleted photo from the targeted device.
The same team also attempted to demonstrate a baseband exploit targeting the iPhone X, which would have been a first, but they failed to get their exploit chain to work within the allotted time.
F-Secure’s MWR Labs team also failed to hack the iPhone – the team targeted the browser – but they did show some interesting vulnerabilities that were purchased by ZDI through its standard program.
Both the MWR Labs and the Fluoroacetate teams managed to hack the Xiaomi Mi 6 browser, each exploit chain earning them $25,000.
Team Fluoroacetate received the highest number of Master of Pwn points, which earned them 65,000 ZDI reward points worth roughly $25,000.
All vulnerabilities have been reported to their respective vendors and they will likely be patched in the upcoming days or weeks.
Of the total of $325,000 paid out at Pwn2Own Tokyo for 18 zero-days, $110,000 was for iPhone X exploits. These are serious vulnerabilities that can allow malicious actors to take control of a phone via its browser or Wi-Fi.
While rewards at Pwn2Own are usually significantly higher than in regular bug bounty programs, many industry professionals will likely still argue that such vulnerabilities are worth much more on the black and grey markets. For example, exploit acquisition firm Zerodium offers up to $100,000 for a WiFi-based remote code execution and local privilege escalation exploit on Apple’s iOS. A remote jailbreak with persistence is worth as much as $1.5 million for the company.
This was the first Pwn2Own competition that covered IoT devices, but no one has attempted such hacks. Other devices not targeted this year are the Huawei P20 and the Google Pixel 2.