Apple's iPhone 7 running iOS 11.1, the Samsung Galaxy S8 and the Huawei Mate 9 Pro were hacked on the first day of Mobile Pwn2Own. Credit: Trend Micro/Zero Day Initiative Mobile platforms are feeling the pain at the 6th annual Mobile Pwn2Own competition, which is taking place at the PacSec conference in Tokyo.Apple’s iPhone 7 fell three times with two different attacks against Safari and one against Wi-Fi. Samsung’s Galaxy S8 fell once via its Internet Browser. And a baseband exploit that could allow an attacker to spoof the device was used against Huawei’s Mate 9 Pro.Trend Micro’s Zero Day Initiative announced that on day one, contestants successfully pulled off five exploits against Samsung Galaxy S8, Apple iPhone 7 and the Huawei Mate 9 Pro and earned a staggering $350,000 thus far. Although there are four targets in total, none of the teams took on Google Pixel in day one.All of the phones are running the latest OS with all available patches installed. There are four targeting categories that cover mobile browsers; short distance attacks happening via Bluetooth, NFC or Wi-Fi; attacks on MMS or SMS messages; and baseband attacks in which the target device communicates with a rogue base station. Money prizes exceed $500,000 this year. Samsung Galaxy 8 hackThe first successful hack targeted the Internet Browser of the Samsung Galaxy S8. 360 Security’s mj0011 leveraged a bug in the Samsung Internet Browser to get code execution and then used privilege escalation in an unnamed Samsung app that persisted after a reboot. The hack earned him $70,000.Confirmed! @mj0011sec demoed a bug on #Galaxy Browser & priv escalation via #Samsung app to persist a reboot. Earn $70K & 11 MoP points.— Zero Day Initiative (@thezdi) November 1, 2017iPhone 7 hacksThe next successful attack occurred after Tencent Keen Security Lab targeted the Wi-Fi on an iPhone 7 running iOS 11.1 Keen Lab used four bugs in total, managing to get code execution through a Wi-Fi bug and then escalated privileges for persistence after reboot. Exploiting four bugs earned the team a whooping $110,000! Confirmed! @keen_lab used 4 bugs to exploit a WiFi bug on #Apple #iPhone & survive a reboot, earning $110K & 11 Master of Pwn points. #MP2O— Zero Day Initiative (@thezdi) November 1, 2017Richard Zhu, aka fluorescence, pulled off the next successful pwnage of Apple’s iPhone 7. He targeted the Safari Browser, leveraging two bugs to exploit Safari and escape the sandbox. Zhu earned $25,000 for the hack.Look at that. Richard Zhu (fluorescence) successfully demonstrates #Safari exploit on iPhone 7. Off to the disclosure room for confirmation— Zero Day Initiative (@thezdi) November 1, 20173 for 3 on #Apple exploits using iOS 11.1 at #MP2O https://t.co/8dLfXI1cBz— Trend Micro (@TrendMicro) November 1, 2017Huawei Mat 9 Pro hackKeen Lab had another go, targeting baseband on the Huawei Mate 9 Pro. The researchers used a stack overflow on the baseband processor to earn $100,000.Confirmed! @keen_lab used a stack overflow in the #huawei baseband earning themselves $100,000 and 20 Master of Pwn points. #MP2O— Zero Day Initiative (@thezdi) November 1, 2017The Master of Pwn points, which “show an extra level of complexity in the exploit used,” as well as the associated cash prize for each are explained here. The add-on bonuses consist of a kernel bonus and a persistence bonus. There are also penalties that remove add-on bonuses.There will be six more attempts made on day two of Mobile Pwn2Own, including two more targeting Apple and another on baseband.When this year’s contest was first announced, Mike Gibson, vice president of threat research for Trend Micro, said, “Rewarding responsible disclosure of these bugs promotes our overarching goal of making everyone safer online. Researchers participating in the contest gain notoriety and can win a significant amount of money, and vendors are given the opportunity to patch zero-day vulnerabilities that might have otherwise wreaked havoc on their systems.”ZDI first verifies that the attack was a true zero-day exploit and then discloses the vulnerability to the vendor. Representatives from Apple, Google and Huawei are at Mobile Pwn2Own. The vendors have 90 days after disclosure to release a fix or to come up with a reasonable explanation for why they did not before ZDI publishes “a limited advisory including mitigation in an effort to enable the defensive community to protect users.” Related content news Dow Jones watchlist of high-risk businesses, people found on unsecured database A Dow Jones watchlist of 2.4 million at-risk businesses, politicians, and individuals was left unprotected on public cloud server. By Ms. Smith Feb 28, 2019 4 mins Data Breach Hacking Security news Ransomware attacks hit Florida ISP, Australian cardiology group Ransomware attacks might be on the decline, but that doesn't mean we don't have new victims. A Florida ISP and an Australian cardiology group were hit recently. By Ms. Smith Feb 27, 2019 4 mins Ransomware Security news Bare-metal cloud servers vulnerable to Cloudborne flaw Researchers warn that firmware backdoors planted on bare-metal cloud servers could later be exploited to brick a different customer’s server, to steal their data, or for ransomware attacks. By Ms. Smith Feb 26, 2019 3 mins Cloud Computing Security news Meet the man-in-the-room attack: Hackers can invisibly eavesdrop on Bigscreen VR users Flaws in Bigscreen could allow 'invisible Peeping Tom' hackers to eavesdrop on Bigscreen VR users, to discreetly deliver malware payloads, to completely control victims' computers and even to start a worm infection spreading through VR By Ms. Smith Feb 21, 2019 4 mins Hacking Vulnerabilities Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe