Security Experts:

Samsung, Apple, Huawei Phones Hacked at Mobile Pwn2Own

Researchers have managed to hack the Samsung Galaxy S8, the iPhone 7 and the Huawei Mate 9 Pro on the first day of the Mobile Pwn2Own 2017 competition taking place alongside the PacSec conference in Tokyo, Japan.

The prize pool for the event organized by Trend Micro’s Zero Day Initiative (ZDI) exceeds $500,000 and participants have already earned a significant chunk on the first day.

The day started with an attempt from Tencent Keen Security Lab to demonstrate an exploit against the Internet Browser on a Samsung Galaxy S8. The attempt could have earned them $70,000, but it failed.

However, a researcher from the Chinese security firm Qihoo360 did manage to hack the Internet Browser on the Galaxy S8 (with persistence) and take home the $70,000. The expert achieved code execution in the browser and exploited a privilege escalation in a different Samsung app for persistence after a reboot.

As for attacks targeting Apple’s iPhone 7 with iOS 11.1, the Tencent Keen Security Lab team earned $110,000 for a total of four vulnerabilities allowing code execution via Wi-Fi and privilege escalation for persistence through a reboot. The same team earned an additional $45,000 for hacking Safari on the iPhone 7.

Richard Zhu, aka fluorescence, earned $25,000 for a Safari exploit on an iPhone 7 and a sandbox escape.

The Tencent Keen Security Lab team also took a crack at the Huawei Mate 9 Pro. Researchers failed to hack the device’s NFC system, but they did manage to develop an exploit targeting the Android phone’s baseband, which earned them $100,000.

This brings the total earned by participants on the first day of Mobile Pwn2Own 2017 to $350,000.

No one has attempted to hack Google’s Pixel phone or the company’s Chrome browser on the first day, but there are six more hacking attempts scheduled for the second day of the event.

The vulnerabilities exploited at the competition will be disclosed to Apple, Google, Samsung and Huawei, and they will be given 90 days to release a fix before limited details about the flaws are made public by ZDI.

*Updated the amount earned by Richard Zhu and the total amount from day one

Related: Nexus 6P, iPhone 6S Hacked at Mobile Pwn2Own 2016

Related: Hackers Earn $200,000 for VM Escapes at Pwn2Own 2017

Related: Windows, macOS Hacked at Pwn2Own 2017

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.