Samsung Galaxy S10 Hacked. Twice.

Samsung Galaxy S10 hacked

The Samsung Galaxy S10 has been compromised by Tokyo hackers exploiting multiple vulnerabilities

AFP/Getty Images

Hackers gathered in Tokyo during the first week of November 2019; they were there to hack stuff and make money. They succeeded, and then some. The "stuff" successfully hacked during the Pwn2Own Tokyo event included an Amazon Echo Show 5, a brace of smart TVs, some routers and the Xiaomi M9 smartphone. Oh yes, and the Samsung Galaxy S10. Twice.

What is Pwn2Own?

Pwn2Own is a hacking event that started in 2007 and is now held twice every year. The hacking teams taking part are comprised of some of the leading security researchers, or "white hat" hackers, from around the world. They aim to "pwn" specific devices, in competition against each other. Pwning is defined as "utterly defeating" someone in a video game or, in this case, a something. Once a device has been pwned, the hackers can then claim to "own" it, and they demonstrate this ownership by doing things they shouldn't be able to, such as exfiltrating data or installing malware.

In Tokyo, the competition organized by Zero Day Initiative, saw hackers taking part win a total of $315,000 (£246,000) for their efforts in disclosing 18 different "zero-day" vulnerabilities. These vulnerabilities are then reported to the vendors of the pwned devices, with a 90-day timescale to fix the security issues before they are publicly disclosed. Every successful exploit at Pwn2Own earns points as well as cash for the hacking teams taking part. The team with the most points is crowned "Master of Pwn." For the third year in succession, that title has gone to Team Fluoroacetate.

Who is Team Fluoroacetate?

Team Fluoroacetate is the highly successful hacker pairing of security researchers Richard Zhu and Amat Cama. At the Pwn2Own Vancouver event held during March 2019, Team Fluoroacetate managed to hack a Tesla Model 3 car to exploit the infotainment system and display a message. They also pwned the Apple Safari, Microsoft Edge, and Mozilla Firefox web browsers at the same event. Their prize winnings from Vancouver totaled $375,000, and the Tesla Model 3 they had managed to hack. They also won the Master of Pwn title, as they had at the previous event.

How was the Samsung Galaxy S10 hacked?

There has been a lot of attention paid to the hacking of any smartphone fingerprint security, and the Samsung Galaxy S10 itself hasn't escaped the claims of fingerprint scanner hacking. This is hardly surprising given that new biometric technology could be featured, quite literally, front and center in the yet to be released Samsung Galaxy S11.  

However, Team Fluoroacetate did not pay any attention to biometrics at Pwn2Own; instead they used a rogue baseband base station to which the Galaxy S10 was connected. The baseband, which enables smartphone modems to communicate with the cell network has been in the news recently after researchers tricked several Android phones into snooping on their owners. Team Fluoroacetate earned $50,000 (£39,000) for placing an arbitrary file, which could have been malware in the hands of a hostile attacker, onto the Galaxy S10 using the baseband station and a stack overflow exploit.

That was one Samsung Galaxy S10 hack. Team Fluoroacetate wasn't finished there, though. By employing a double-whammy of a JavaScript Just-In-Time compiler bug and a use-after-free memory corruption vulnerability the team could escape the Galaxy S10 sandbox that is meant to protect the device by isolating different application processes. By exploiting the vulnerabilities via the Galaxy S10 near-field communications (NFC) component, Team Fluoroacetate exfiltrated a photograph from the smartphone with just one click. This earned the hackers another $30,000 (£23,000) in prize money.

Samsung has yet to comment on the Team Fluoroacetate exploits, but as I already mentioned, it does have a 90-day period in which to fix these vulnerabilities before the technical detail of how they were exploited is disclosed publicly. That's good news. From the Samsung perspective the less good news is that this was the third consecutive year that a Pwn2Team has been able to successfully hack a flagship Samsung smartphone handset. Somewhat embarrassingly, the baseband attack vector was used across all three years. So much for the "vault-like security built to let only you in" claim.

Meanwhile, Team Fluoroacetate finished Pwn2Own Tokyo 2019 with an impressive bounty haul of $195,000 (£152,000) alongside the Master of Pwn title.

">

Hackers gathered in Tokyo during the first week of November 2019; they were there to hack stuff and make money. They succeeded, and then some. The "stuff" successfully hacked during the Pwn2Own Tokyo event included an Amazon Echo Show 5, a brace of smart TVs, some routers and the Xiaomi M9 smartphone. Oh yes, and the Samsung Galaxy S10. Twice.

What is Pwn2Own?

Pwn2Own is a hacking event that started in 2007 and is now held twice every year. The hacking teams taking part are comprised of some of the leading security researchers, or "white hat" hackers, from around the world. They aim to "pwn" specific devices, in competition against each other. Pwning is defined as "utterly defeating" someone in a video game or, in this case, a something. Once a device has been pwned, the hackers can then claim to "own" it, and they demonstrate this ownership by doing things they shouldn't be able to, such as exfiltrating data or installing malware.

In Tokyo, the competition organized by Zero Day Initiative, saw hackers taking part win a total of $315,000 (£246,000) for their efforts in disclosing 18 different "zero-day" vulnerabilities. These vulnerabilities are then reported to the vendors of the pwned devices, with a 90-day timescale to fix the security issues before they are publicly disclosed. Every successful exploit at Pwn2Own earns points as well as cash for the hacking teams taking part. The team with the most points is crowned "Master of Pwn." For the third year in succession, that title has gone to Team Fluoroacetate.

Who is Team Fluoroacetate?

Team Fluoroacetate is the highly successful hacker pairing of security researchers Richard Zhu and Amat Cama. At the Pwn2Own Vancouver event held during March 2019, Team Fluoroacetate managed to hack a Tesla Model 3 car to exploit the infotainment system and display a message. They also pwned the Apple Safari, Microsoft Edge, and Mozilla Firefox web browsers at the same event. Their prize winnings from Vancouver totaled $375,000, and the Tesla Model 3 they had managed to hack. They also won the Master of Pwn title, as they had at the previous event.

How was the Samsung Galaxy S10 hacked?

There has been a lot of attention paid to the hacking of any smartphone fingerprint security, and the Samsung Galaxy S10 itself hasn't escaped the claims of fingerprint scanner hacking. This is hardly surprising given that new biometric technology could be featured, quite literally, front and center in the yet to be released Samsung Galaxy S11.  

However, Team Fluoroacetate did not pay any attention to biometrics at Pwn2Own; instead they used a rogue baseband base station to which the Galaxy S10 was connected. The baseband, which enables smartphone modems to communicate with the cell network has been in the news recently after researchers tricked several Android phones into snooping on their owners. Team Fluoroacetate earned $50,000 (£39,000) for placing an arbitrary file, which could have been malware in the hands of a hostile attacker, onto the Galaxy S10 using the baseband station and a stack overflow exploit.

That was one Samsung Galaxy S10 hack. Team Fluoroacetate wasn't finished there, though. By employing a double-whammy of a JavaScript Just-In-Time compiler bug and a use-after-free memory corruption vulnerability the team could escape the Galaxy S10 sandbox that is meant to protect the device by isolating different application processes. By exploiting the vulnerabilities via the Galaxy S10 near-field communications (NFC) component, Team Fluoroacetate exfiltrated a photograph from the smartphone with just one click. This earned the hackers another $30,000 (£23,000) in prize money.

Samsung has yet to comment on the Team Fluoroacetate exploits, but as I already mentioned, it does have a 90-day period in which to fix these vulnerabilities before the technical detail of how they were exploited is disclosed publicly. That's good news. From the Samsung perspective the less good news is that this was the third consecutive year that a Pwn2Team has been able to successfully hack a flagship Samsung smartphone handset. Somewhat embarrassingly, the baseband attack vector was used across all three years. So much for the "vault-like security built to let only you in" claim.

Meanwhile, Team Fluoroacetate finished Pwn2Own Tokyo 2019 with an impressive bounty haul of $195,000 (£152,000) alongside the Master of Pwn title.

Follow me on Twitter or LinkedIn. Check out my website.

I'm a three-decade veteran technology journalist and have been a contributing editor at PC Pro magazine since the first issue in 1994. A three-time winner of the BT Sec

...