Pwn2Own 2018 Tokyo, Japan Edition: $325,000 Reward Money Earned by WhiteHat Hackers

All Yahoo Accounts had been Hacked Not Just 1 Billion 1

What we can consider as the Olympics-of-White-Hat-Hackers, Pwn2Own hacker competition hosted by TrendMicro in Tokyo, Japan, has given away $325,000 in rewards for the group of hackers for this year’s edition. With huge reward money on the line, the various team of whitehat hackers from different countries competed, which resulted for successful intrusion and exploits against mainstream devices such as the iPhone X, Xiaomi Mi6 and the Galaxy S9.

All-in-all, the competition featured a total of 18 Zero-day exploits which included an NFC hacking attack, vulnerability with the touch-to-connect feature of Xiaomi Mi6. Team Fluoroacetate demonstrated live the successful exploitation of web assembly to execute code on top of the browser. This successful exploit earned the team $ 30,000. An additional $50,000 reward money falls on their lap when the same team took advantage of a baseband flaw to execute arbitrary code against a Galaxy S9 phone.

The Fluoroacetate was on the roll in the competition, as they have demonstrated a JIT vulnerability using a chain attack based on out-of-bounds write, enabling them to execute code in iPhone X outside its sandbox. This feat earned them an additional $60,000 on top of previous earnings. The icing on the cake is the team bagged the Master of Pwn team title, which added $140,000 to their total earnings, only on the first day of competition.

Another prolific team in the competition by the name of MWR Labs have used Javascript to bypass a sandbox in Xiomi Mi6 after a chain of attacks against the device. The 5-step chain attacks netted the team an initial $30,000 reward. Competing as a solo entry, Michael Contreras has demonstrated a unique JavaScript attack, earning him for himself $25,000 reward money.

Fluoroacetate still has many tricks in their sleeves as they demonstrated how Safari’s JIT bug can extract data from iPhone X out of its sandbox. The demo includes the successful deletion of images from the phone, which made the team richer by $80,000. An unknown integer overflow was used against a web browser in Xiaomi Mi6, which added $25,000 to the team’s earnings.

A series of attack against a previously unknown bug has been performed by MWR Labs on the second day of the competition, which equals $25,000 more for their team. The competition was a fierce, exciting and fun event for all the participants, with all the rewards totaling to $325,000. The grand champion, Fluoroacetate team brought home a total of $215,000 after the 2-day event.

Pwn2Own is a friendly competition of displaying the skills of whitehat hackers; it is a twice-a-year event that demonstrates hacking attacks against common devices and platforms. All successful hacks are documented in full details and responsibly disclosed to the devices’ respective vendors for official patches to be created to plug the vulnerabilities.

Vendors that had their devices hacked in the competition are all given 90-days per vulnerability to develop a compatible patch that will stop the exploits from being used in the wild after the competition.

0 Comments

Leave a Comment

Login

Welcome! Login in to your account

Remember me Lost your password?

Don't have account. Register

Lost Password
Register