Pwn2Own Tokyo 2018: Day One Results

November 13, 2018 | Dustin Childs

The first day of Pwn2Own Tokyo 2018 has come to a close. Today saw some great action and amazing research as we awarded $225,000 USD and 48 Master of Pwn points. We had six successful attempts and purchased 13 bugs in total.

Our day began with Fluoroacetate (Amat Cama and Richard Zhu) successfully exploiting the Xiaomi Mi6 handset via NFC. Using the touch-to-connect feature, they forced the phone to open the web browser and navigate to their specially crafted webpage. During the demonstration, we didn’t even realize that action was occurring until it was too late. In other words, a user would have no chance to prevent this action from happening in the real world. The webpage exploited an Out-Of-Bounds write in WebAssembly to get code execution on the phone. This earned them $30,000 USD and 6 Master of Pwn points.

Next up, the team from MWR Labs (Georgi Geshev, Fabi Beterke, and Rob Miller) also targeted the Xiaomi Mi6. When the phone connected to their Wi-Fi server, they forced the default web browser to navigate to a portal page – much like joining the Wi-Fi at a coffee shop. They then chained additional bugs together to silently install an application via JavaScript, bypass the application whitelist, and automatically start the application. In all, five different bugs were chained together for this demonstration, which earned the MWR team $30,000 USD and 6 Master of Pwn points.


The Fluoroacetate duo returned, this time targeting the Samsung Galaxy S9. They made quick work of it by using a heap overflow in the baseband component to get code execution. Baseband attacks are especially concerning, since someone can choose not join a Wi-Fi network, but they have no such control when connecting to baseband. The work earned them another $50,000 USD and 15 more points towards Master of Pwn.


Next up, Amat and Richard returned to the Short Distance category. This time, they were targeting the iPhone X over Wi-Fi. They used a pair of bugs – a JIT vulnerability in the web browser followed by an Out-Of-Bounds write for the sandbox escape and escalation. The successful demonstration earned them $60,000 USD more and 10 additional Master of Pwn points. This ends their first day of competition with $140,000 USD and a commanding lead for the Master of Pwn with 31 points.


Following that attempt, the team from MWR Labs combined three different bugs to successfully exploit the Samsung Galaxy S9 over Wi-Fi. They forced the phone to a captive portal without user interaction, then used an unsafe redirect and an unsafe application load to install their custom application. Although their first attempt failed, they nailed it on their second try to earn $30,000 USD and 6 more Master of Pwn points.


In our last entry of the day, Michael Contreras made sure his first Pwn2Own attempt was memorable. He wasted no time in exploiting a type confusion in JavaScript. In doing so, he earned himself $25,000 USD and 6 Master of Pwn points. We look forward to seeing him in future events. Excelsior!


That wraps the first day of Pwn2Own Tokyo 2018. It was great to see such exciting research with more to come on Day Two. The Fluoroacetate duo currently has the lead in Master of Pwn points with 31, while MWR Labs is second place with 12. It was awesome to see such high-quality exploits from this talented group of researchers. Even though we awarded $225,000 today, tomorrow looks even bigger with more iPhone browser attempts and potentially an iPhone baseband exploit.

Stay tuned to our Twitter feed and this blog for tomorrow's results as we wrap up Pwn2Own Tokyo 2018!