top of page

Multiple iPhone X and Galaxy S9 hijacks found today

No matter how good your mobile device’s security appears to be, there are likely still vulnerabilities present that will allow professional hackers to gain access if given enough time and physical access to the device.

Over the past two days, security researchers have been hard at work in Tokyo at the annual Pwn2Own event focusing on smartphones. Going up against fully patched devices with the latest security updates, teams have managed to successfully hack into the iPhone X, Samsung Galaxy S9, and Xiaomi Mi6.

Sponsored by Trend Micro’s Zero Day Initiative, teams successful in demonstrating working hacks netted a total of $325,000 in prize money. Throughout the event, 18 zero-day vulnerabilities were found across Samsung, Apple, and Xiaomi devices. Numerous other exploits were found to allow full control over mobile devices.

Apple’s iPhone X was able to be exploited due to an issue with Safari. A just-in-time vulnerability combined with an out-of-bounds write bug allows for data to be extracted from an iPhone X that is connected to Wi-Fi. The device was running the latest version of iOS 12.1. During the demonstration, Richard Zhu and Amat Cama were able to recover a deleted photo off of the device and received $50,000 as a result.

The duo also was working on baseband exploits for the iPhone X, but did not have enough time to get it working during the time of the competition. Trend Micro is expected to acquire the exploit at a later date through its Zero Day Initiative.

Turning to the Galaxy S9, a memory heap overflow was discovered in its baseband, allowing for arbitrary code execution. The S9 was also able to be attacked by connecting it to a malicious Wi-Fi network with a specially crafted captive portal that did not require user interaction. Unsafe redirects and application loading were demonstrated that allowed full control of the device.

Xiaomi’s Mi6 was able to be exploited via NFC. Taking advantage of the touch-to-connect feature, a web browser can be opened and forced to open a malicious web page. In practice, there is currently no way to avoid this attack except by disabling NFC completely. Additionally, a JavaScript engine flaw on the Mi6 allowed for integer overflows, ultimately allowing researchers to pull files from the device.

Full details of the exploits discovered will be published 90 days from now. Affected vendors and manufacturers have been alerted to the issues and should be able to fix them during the wait period.


bottom of page