Researchers identify zero-day vulnerabilities in Samsung Galaxy S9, Xiaomi Mi6

Researchers from F-Secure’s MWR Labs successfully demonstrated attacks leveraging zero-day vulnerabilities in different smart phones at the Mobile Pwn2Own competition in Tokyo. The team competed in four different categories at the event, and successfully demonstrated unpublished exploits for the Xiaomi Mi6 and Samsung Galaxy S9 smart phones.

The research team consisted of F-Secure’s MWR Labs’ Rob Miller, Georgi Geshev, and Fabian Berteke. And according to F-Secure Managing Director Ed Parsons, the team’s discoveries add to MWR Labs’ successful Pwn2Own track record, and exemplify how the competition helps consultants learn so they can offer better protection to customers.

“We use research to push the boundaries of the cyber security industry, helping our clients predict, protect, detect and respond to modern cyber attacks,” said Parsons in a statement. “Pwn2Own is a great opportunity to develop and test ourselves while helping to secure technology many of us rely on. We’re very proud of the team’s latest win and their overall track record in the competition.”

Pwn2Own is a competition organized by the Zero Day Initiative where security researchers compete to exploit popular devices by using previously undisclosed (zero-day) vulnerabilities. The competition is held twice a year, with one event focusing on desktops and another focusing on mobile devices. Internet of Things devices were also included in this year’s mobile competition.

According to F-Secure President and CEO Samu Konttinen, competing in events like Pwn2Own help experts learn to apply creativity and innovative thinking to security research, which ensures they stay a step ahead of attackers.

“Competitions like this give us an opportunity to demonstrate the creativity and innovation we bring to cyber security. That reassures current and potential customers that the human expertise powering our services and solutions is going to help their defenses stay a step ahead of even the most advanced adversaries,” said Konttinen in a statement. “I’m thrilled with the inventiveness that MWR Labs has shown with this research, and I can’t wait to see what our world-class security professionals will come up with next.”

All vendors have been made aware of the vulnerabilities and are now working to patch them. Advisories will be published once patches become available.

Source: F-Secure

MacDailyNews Take: Discovering vulnerabilities in Android is like finding grains of sand at the beach.

SEE ALSO:
Apps installed on millions of Android phones tracked user behavior to execute a multimillion-dollar ad fraud scheme – October 25, 2018
Democrat cyber defenders are purging Android phones in favor of Apple iPhones – September 20, 2018
New Android malware records ambient audio, fires off premium-rate texts, and harvests files, photos, contacts, and more – March 2, 2018
Android malware apps with over 1 million downloads slip past Google Play defenses – twice! – September 14, 2017
How to upgrade from Android to a real Apple iPhone – August 21, 2017
Video: Apple CEO Tim Cook speaks at Cisco Live, blasts Android’s shoddy security – June 26, 2017
Security expert: There are several reasons why Apple iPhones are more secure than Android phones – May 31, 2017
Russian hacker gang robbed Russian banks with over one million hacked Android phones – May 22, 2017
36 widely-used Android devices ship with malware preinstalled – March 14, 2017
The cost of free: More than one million Google Android devices hit by malware – November 30, 2016
Secret backdoor in U.S. Android phones sent location, text, contact data to China – November 15, 2016
Google’s Android platform has a serious flaw – August 23, 2016

2 Comments

  1. “A12 and S4 devices now:
    – use ARM signed pointers for all Apple software
    – have new physical anti-replay counter circuit in Secure Enclave
    – mitigate USB DFU hijacking in enclave firmware”

    Oh, so there are some security benefits to having only one Apple Store.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.