Multiple zero-day exploits found in iPhone X and Galaxy S9

Greg S

Posts: 1,607   +442

Over the past two days, security researchers have been hard at work in Tokyo at the annual Pwn2Own event focusing on smartphones. Going up against fully patched devices with the latest security updates, teams have managed to successfully hack into the iPhone X, Samsung Galaxy S9, and Xiaomi Mi6.

Sponsored by Trend Micro's Zero Day Initiative, teams successful in demonstrating working hacks netted a total of $325,000 in prize money. Throughout the event, 18 zero-day vulnerabilities were found across Samsung, Apple, and Xiaomi devices. Numerous other exploits were found to allow full control over mobile devices.

Apple's iPhone X was able to be exploited due to an issue with Safari. A just-in-time vulnerability combined with an out-of-bounds write bug allows for data to be extracted from an iPhone X that is connected to Wi-Fi. The device was running the latest version of iOS 12.1. During the demonstration, Richard Zhu and Amat Cama were able to recover a deleted photo off of the device and received $50,000 as a result.

The duo also was working on baseband exploits for the iPhone X, but did not have enough time to get it working during the time of the competition. Trend Micro is expected to acquire the exploit at a later date through its Zero Day Initiative.

Turning to the Galaxy S9, a memory heap overflow was discovered in its baseband, allowing for arbitrary code execution. The S9 was also able to be attacked by connecting it to a malicious Wi-Fi network with a specially crafted captive portal that did not require user interaction. Unsafe redirects and application loading were demonstrated that allowed full control of the device.

Xiaomi's Mi6 was able to be exploited via NFC. Taking advantage of the touch-to-connect feature, a web browser can be opened and forced to open a malicious web page. In practice, there is currently no way to avoid this attack except by disabling NFC completely. Additionally, a JavaScript engine flaw on the Mi6 allowed for integer overflows, ultimately allowing researchers to pull files from the device.

Full details of the exploits discovered will be published 90 days from now. Affected vendors and manufacturers have been alerted to the issues and should be able to fix them during the wait period.

Permalink to story.



Posts: 837   +820
Wonder how long Samsung will take to push the security patches to United States users with the carriers involved. I have a suggestion... don't hold your breath, you'll die of asphyxiation. If you're in Europe then you'll be fine, you should get the security patch by the end of the month. But as for United States users... God help you.
  • Like
Reactions: Greg S


Posts: 5,461   +6,133
To me it seems like Google and Apple would rather pay the one time bug bounty fee then actually hire people to make sure their devices are secure in the first place.

Feels bad for security researchers who are doing bug bounties as you could most certainly get more money by selling the zero-day exploit to other "clients".


Posts: 837   +820
To me it seems like Google and Apple would rather pay the one time bug bounty fee then actually hire people to make sure their devices are secure in the first place.
I wouldn't go that far. Writing good secure code is indeed hard, it takes more time and thinking into ways you can break said code.

Remember... anything made by a human can be broken by another human.