Trend Micro’s Zero Day Initiative is a program designed to reward security researchers to overcome the vulnerabilities in smartphones and they recently conducted a Pwn2Own Contest in Tokyo, Japan they decided to give a price of more than $500,000 USD in cash and prizes for the contestants who discover the vulnerabilities in the selected products within time and also which team will get more points in Master of Pwn (MOP) will be awarded as Master of PWN & covered with MOP jacket.

This year they targeted the following mobile devices for the contest and all these devices are updated with latest security patch & operating system.

  • Google Pixel 2
  • Samsung Galaxy S9
  • Apple iPhone X
  • Huawei P20
  • Xiaomi Mi6

The IoT devices targeted this year are,

  • Apple Watch Series 3
  • Amazon Echo (2nd Generation)
  • Google Home
  • Nest Cam IQ Indoor
  • Amazon Cloud Cam Security Camera

For the above devices they challenged researchers this year with the following task,

  1. For IoT category the successful entry of code execution on the device without user interaction.
  2. In devices need to target the default web browser of each respective devices.
  3. Attacking devices through Short distance by over Bluetooth, Wi-Fi and Near field communication (NFC).
  4. Attacking the messages SMS or MMS, the target is need to view or receive.
  5. Target the device to communicates with a rogue base station.

The two categories Browser & Short distance winners will get additional $20,000 and extra 2 points of MOP.

This contest is takes on two days on first day the team Fluoroacetate (Amat & Richard) targets the Xiaomi Mi6 device in the short distance category (NFC) and they got success by using an Out-Of-Bounds write in Web Assembly to get code execution via NFC and they earn $30,000 and 6 MOP points. After that they targeted the device Samsung Galaxy S9 in the baseband category and successfully achieved code execution by using Heap overflow in the baseband component and earned $50,000 USD and 15 MOP points and finally on that day they targeted the iPhone X in Short distance category and hacked the iPhone by using the JIT bug followed by the Out of Bounds to write the  code execution in the iPhone X and earned $60,000 and 10 more MOP points, totally on day one they earned $140,000 cash and 31 MOP points by Fluoroacetate duo team.

On the same day the MWR Labs team have targeted Mi6 device in the category of Short distance on Code execution on device by using a chain of five different bugs also, they install application silently to the device via Java script for this successful execution they earn $30,000 USD and 6 MOP points and also they targeted the Same Galaxy S9 in the same category and used the combined three bugs to install their application in the galaxy S9 and earns $30,000 and 6 more MOP points and totally the MWR Labs team earned $60,000 USD & 12 MOP points on day one and finally Michael Contreras targeted the Xiaomi Mi6 in browser category and he used Java script type confusion bug to get code execution on Mi6 device and earned $25,000 USD and 6 MOP points.

On the second day Fluoroacetate duo targeted the iPhone X smartphone in the browser category and they gone through by using the JIT bug in the browser along with an Out-Of-Bounds access to exfiltrate data from their demonstration they get the deleted the pictures of iPhone X and they earn $50,000 USD and 8 points of MOP, then in the same category they targeted the Xiaomi Mi6 device and get succeed by using integer overflow in the JavaScript engine to exfiltrate a pictures from the phone and they won $25,000 USD and 6 MOP points. Then the MWR Labs team also targeted the same device and same category by using to download bug along with a silent app installation and load their custom application and get some pictures in the device for that they earned $25,000 USD and 6 more MOP points.

Finally, the Fluorescence team (Amat & Richard) get a total of $215,000 USD with 45 MOP points to became a title winner of Master of Pwn contest and all the exploits vulnerabilities demonstrate in the contest are communicated to the respected device manufacturers and targeted to produce the security patches for the bugs in 90 days.