Pwn2Own Tokyo 2018 is a contest held for hackers alongside the PacSec security conference in the capital Tokyo, Japan. One the first day of Pwn2Own, Apple iPhone X, Samsung Galaxy S9 and Xiaomi Mi 6 have been successfully hacked for rewards by different tech teams.

Xiaomi Mi 6 Hacked

A team of two including Amat Cama and Richard Zhu and named as “Fluoroacetate” first hacked the Xiaomi Mi 6 with the NFC exploit. The Zero Day Initiative (ZDI), organizers of the event, told that Fluoroacetate managed to use an out-of-bounds write bug influencing web assembly to achieve code execution through NFC. The team was rewarded $30,000 for the research.

Another team from the popular UK-based MWR Labs went on to earn $30,000 for taking down Xiaomi Mi 6 in two attempts. The successfully explained a code execution exploit via Wi-Fi leading in a photo exfiltration from the targeted device. Explaining the hack, ZDI said that the exploit was a result of 5 distinct logic bugs, including one that silently installed an app on the device via JavaScript.

Samsung Galaxy S9 Hacked

Furthermore, MWR Labs team also attempted exploits on the Android flagship Samsung Galaxy S9. It took them two attempts to demonstrate an exploit on the device. The researchers hacked a captive portal on Galaxy S9 with no user-interaction to use it for putting unsafe redirect and unsafe application aiding to load bugs on the device and execute the code. The white hats earned another $30,000 for the exploit.

Apple iPhone 7 Hacked

The Fluoroacetate also successfully attempted an exploit on Samsung Galaxy S9. The researches piled up an overflow in Galaxy S9’s baseband component and earned $50,000.

Furthermore, the team attempted to exploit on an iPhone X and successfully hacked the device over Wifi using a bug named Just-In-Time (JIT) and an out-of-bounds write flaw which earned them $60,000.

Michael Contreras, an independent researcher, finally took on Xiaomi Mi 6 again. He attempted a JavaScript type confusion flaw to successfully execute code on the device. He was rewarded with $25,000 for the successful attempt.

The Annual Pwn2Own Event

The total price earned by Pwn2Own Tokyo 2018 participants on the first day of the event was $225,000. On the second day, MWR Labs and Fluoroacetate will take several other attempts to hack Apple iPhone X and Xiaomi Mi 6. The competition will also cover IoT devices including Amazon Echo, Apple Watches. Amazon Cloud Cam, Google Home, and Nest Cam IQ Indoor. The prizes range from $40,000 to $60,000 for these devices. However, no exploit will be presented. Devices not included in this year’s event are Google Pixel 2 and Huawei P20.

Notably, last year participants earned more than half a million in Mobile Pwn2Own when they took on Galaxy S8, Huawei Mate 9 Pro, and iPhone 7.