14 DAY TRIAL // The iPhone 7 has once again been hacked at Zero Day Initiative's Mobile Pwn2Own competition, only one day after the device was compromised twice using different exploits.
Since it’s one of the most popular mobile devices worldwide, it makes sense for the iPhone to be a preferred target by security researchers at the hacking competition, and after day one when it got compromised twice, the iPhone 7 was breached two more times on day two.
It happened after 360 Security targeted Wi-Fi on the iPhone and managed to exfiltrate data from a device, which in turn earned $20,000. Interestingly, 360 Security attempted to exploit a bug that was used to compromise the iPhone 7 on day one as well, and this could be a bit worrying since it appears that more security researchers might be aware of the issue.
“After a successful demonstration, things got a bit murky in the disclosure room. 360 Security used three separate bugs to exploit WiFi on the iPhone, but one of the bugs was submitted in a previous attempt in the contest by a different competitor,” ZDI explains.
“While the intrigue of a bug collision is certainly interesting, let’s not overlook the fact that 360 Security demonstrated an exploit that exfiltrated data from an iPhone just by connecting it to a WiFi network.”
The same team breached the iPhone 7 the second time using a Safari browser bug, which also allowed data exfiltration and led to a reward of $25,000.
Samsung Galaxy S8 also breached
Just like on day 1, the iPhone wasn’t the only target for security researchers, and the Samsung Galaxy S8 was compromised twice as well. First, MWR Labs took advantage of an attack based on 11 different bugs in the browser to eventually compromise Google Chrome and other Samsung apps, gaining rights to install an APK.
And last but not least, acez demonstrated a baseband attack, which allowed for code execution and privileges to write persistent data to the device. This successful attack was rewarded with $50,000.
Overall, with the contest finally coming to an end, it’s pretty clear that not even the devices that are deemed the most secure are hacker-proof, and there’s always something to patch no matter the brand.