Pwn2Own Tokyo 2018 – Day Two Schedule and Updates
November 13, 2018 | Dustin ChildsWelcome back to Pwn2Own Tokyo 2018. Yesterday saw some amazing research demonstrated, and today’s docket looks even better. If you didn’t see the results from Day One, you can read the details here. We awarded $225,000 USD for 13 bugs that targeted the iPhone X, Xiaomi Mi6, and Samsung Galaxy S9. The iPhone and Xiaomi handset are set to be targeted again today.
The full schedule for Day Two is below (all times JTZ [UTC+9:00]). We will update this schedule with results as they become available.
Day Two – November 14, 2018
1000 – Fluoroacetate (Amat Cama and Richard Zhu) targeting the iPhone X in the browser category.
Success: - The Fluoroacetate team used a bug in JIT with an Out-Of-Bounds Access to exfiltrate data from the iPhone. In doing so, they earn themselves $50,000 and 8 Master of Pwn points.
1130 – MWR Labs (Georgi Geshev, Fabi Beterke, and Rob Miller) targeting the iPhone X in the browser category.
Failure: - The team could not get their exploit chain to work within the alloted time.
1300 – Fluoroacetate (Amat Cama and Richard Zhu) targeting the Xiaomi Mi6 in the browser category.
Success: - The Fluoroacetate duo used a used an integer overflow in the JavaScript engine of the Xiaomi web browser to exfiltrate a picture from the phone. They earn $25,000 USD and 6 Master of Pwn points.
1430 – Fluoroacetate (Amat Cama and Richard Zhu) targeting the iPhone X in the baseband category.
Failure: - The team could not get their exploit to work within the time alloted.
1600 – MWR Labs (Georgi Geshev, Fabi Beterke, and Rob Miller) targeting the Xiaomi Mi6 in the browser category.
Success: - The MWR Labs team used a download bug along with a silent app installation to load their custom app and exfiltrate pictures. They earned another $25,000 USD and 6 more Master of Pwn points.
We’ll update this blog with results as they become available. Follow us on Twitter for the latest information, and check back for our end-of-day blog recapping all of the results and awards.