Hackers Exploit Fully Patched iPhones and Android Devices at Pwn2Own 2017


Security researchers and hackers have demonstrated a bunch of new zero-day vulnerabilities in fully patched Apple, Samsung and Huawei mobile devices on the opening day of the Mobile Pwn2Own 2017 hacking competition in Tokyo (via eWeek). 

Several groups of hackers made a total of seven exploit attempts, five of which were successful. Fully patched Apple iPhone 7, Samsung Galaxy S8 and Huawei Mate9 Pro devices were among the successfully exploited targets. Researchers who demonstrated the successful exploits were rewarded with a total of $350,000 in prize money from Trend Micro’s Zero Day Initiative (ZDI).

Three of the five successful exploits were made against Apple devices, including two browser exploits against Safari and one WiFi exploit. Apple just updated iOS to 11.1 on Oct. 31, which is the version the researchers were able to exploit. 

Researchers from 360 Security were able to demonstrate a chain of flaws on the Samsung Galaxy S8 that led to arbitrary code execution. The exploit chain included a bug in the Samsung internet browser paired with a privilege escalation in a Samsung application that enabled code execution to persist through a reboot. ZDI awarded the 360 Security team $70,000 for its efforts.

All of the flaws discovered at the event are privately reported to the impacted vendors and are subject to the ZDI’s disclosure policy, which provides vendors with 90 days to fix the vulnerabilities before they are publicly disclosed.

Apple’s latest iOS 11.1 update patches 14 vulnerabilities, including six that were memory corruption issues in Safari’s WebKit browser rending engine. However, there are apparently still security issues in iOS 11.1 that Apple will need to patch in a future update.