54 hacks, 63 new bugs, $1 million in bounties – Bare Safety


You’ve in all probability heard of Pwn2Own, a hacking contest that began life alongside the annual CanSecWest cybersecurity occasion in Vancouver, Canada.

Pwn2Own is now a multi-million “hackers’ model” in its personal proper, having been purchased up by anti-virus outfit Development Micro and prolonged to cowl many extra sorts of bug than simply browsers and desktop working programs.

The identify, in case you’re questioning, is shorthand for “pwn it to personal it”, the place pwn (pronounced “pone”) is hacker-speak for “take management by exploiting a safety gap”, and personal actually means “have authorized title over”.

Merely put: hack into it and you may take it residence.

In truth, even within the Pwn2Own Toronto 2022 contest, the place the money quantities of the prizes far exceeded the worth of the gadgets as much as be hacked, winners received to take residence the precise package they broke into, thus retaining the unique, literal sense of the competitors.

Even in the event you’ve simply received $100,000 for hacking right into a networked printer by hacking your method by means of a small-business router first (because the staff that ended up on the high of the general leaderboard managed to do), taking residence the precise gadgets is a neat reminder of a job effectively completed.

Nowadays, when hacking {hardware} akin to routers or printers which have their very own shows or blinking lights, researchers will show their pwnership with amusing side-effects akin to morse code messages by way of LEDs, or displaying memetic movies akin to a well-known tune by a well-known Nineteen Eighties pop crooner. The hacked gadget thus acts as its personal historic documentary.

Hacking (the nice kind)

We stated “a job effectively completed” above, as a result of despite the fact that you have to suppose like a cybercriminal to win at Pwn2Own, given that you simply’re attempting to generate a fully-working distant code execution assault {that a} criminal would like to find out about, after which to point out your assault working towards a present and fully-patched system…

…the last word purpose of a creating successful “assault” is accountable disclosure, and thus higher defences for everybody.

To enter the competitors and win a prize, you’re agreeing not solely at hand over your exploit code to the gadget vendor or distributors who put up the prize cash, but in addition to supply a white paper that explains the exploit within the form of element that may assist the seller patch it shortly and (you hope) reliably.

The top-of-year Pwn2Own is a peripatetic form of occasion, having variously beem held in locations as far aside as Aoyama in Tokyo, Amsterdam within the Netherlands, and Austin in Texas.

It was initially often known as the “cell phone” model of Pwn2Own, however the Toronto 2022 occasion invited contestants to hack in six foremost classes, of which only one included cell phones.

The gadgets put ahead by their distributors, and the prize cash supplied for profitable hacks, appeared like this:

HACK A PHONE..            AND WIN:
Samsung Galaxy S22        $50,000
Google Pixel 6           $200,000
Apple iPhone 13          $200,000

TPLink AX1800             $20,000 ($5000 if by way of LAN)
NETGEAR RAX30             $20,000 ($5000 if by way of LAN)
Synology RT6600ax         $20,000 ($5000 if by way of LAN)
Cisco C921-4P             $30,000 ($15,000 if by way of LAN)
Microtik RB2011           $30,000 ($15,000 if by way of LAN)
Ubiquiti EdgeRouter       $30,000 ($15,000 if by way of LAN)

Meta Portal Go            $60,000
Amazon Echo Present 15       $60,000
Google Nest Hub Max       $60,000

HP Shade LaserJet Professional     $20,000
Lexmark MC3224            $20,000
Lexmark MC3224i           $20,000
Canon imageClass MF743Cdw $20,000

Sonos One Dwelling Speaker    $60,000
Apple HomePod Mini        $60,000
Amazon Echo Studio        $60,000
Google Nest Studio        $60,000

HACK A NAS BOX..          AND WIN:
Synology DiskStation      $40,000
WD My Cloud Professional PR4100    $40,000

On this yr’s occasion, the organisers went for extra-excitement hacks referred to as Smashups – a bit like a baseball staff agreeing prematurely that any double play (two outs without delay) within the subsequent inning will instantly rely as three outs and end the inning… however with the draw back that any single outs on their very own received’t rely in any respect.

Smashups had been value as much as $100,000 all of sudden, however you needed to declare your intention up entrance after which hack one of many community gadgets by breaking in by means of the router first, adopted by pivoting (within the jargon) straight from the router into the interior gadget.

Hacking the router by way of the WAN after which individually hacking, say, one of many printers, wouldn’t rely as a Smashup – you needed to decide to the all-in-one-chain prematurely.

Miss the router and also you wouldn’t even get an opportunity on the printer; hack the router however miss the printer and also you’d lose what you in any other case may have received by pwning the router by itself.

Ultimately, eight totally different groups of researchers determined to again themselves to go for the superbounties accessible by means of Smashups…

…and 6 of them succeeded in getting in by means of the router after which onto a printer.

Solely one of many Smashup groups geared toward something apart from a printer as soon as inside. The Qrious Safety duo from Vietnam had a go on the Western Digital NAS by way of a NETGEAR router, however didn’t get all the way in which to their goal inside the 30 minute restrict imposed by the foundations of the competitors.

And the winners had been…

So as to add a poker-like component of luck to the competition, and to keep away from arguments about who deserves probably the most recognition when two groups simply occur to seek out the identical bug, the groups go into bat in a randomly determined sequence.

Merely put, if two groups depend on the identical bug someplace of their assault, the one which went first scoops the total money prize.

Anybody else utilizing the identical bug will get the identical leaderboard factors, however solely 50% of the money reward.

Consequently, the outright winners received’t essentially earn probably the most cash – in the identical form of method that it’s attainable to cycle to outright victory within the Tour de France with out ever successful a person stage.

This yr, the Grasp of Pwn (high place finishers do get a winner’s jersey, however in contrast to Le Tour, it’s not yellow, and it’s technically a jacket) did win probably the most cash, with $142,000.

However the STAR Labs staff from Singapore, who ended up simply exterior the medals in fourth place within the Basic Classification standings, had the comfortable comiseration of taking residence the next-biggest paycheck, with $97,500.

In case you’re questioning, the high three locations had been taken by company groups for whom bug-hunting and penetration testing is a day job:

1. DEVCORE (18.5 leaderboard factors plus $142,000). This staff works for a Taiwanese red-teaming and cybersecurity firm whose official web site contains employees recognized solely by mysterious names akin to Angelboy, CB and Meh.

2. NCC Group EDG (16.5 factors plus $82,500). This staff comes from the devoted exploit growth group (EDG) of a world cybersecurity consultancy initially spun off in 1999 from the UK authorities’s Nationwide Laptop Centre.

3. Viettel Safety (15.5 factors plus $78,750). That is the cybersecurity group of Vietnam’s state-owned telecommunications firm, the nation’s largest.


Who didn’t get hacked?

Fascinatingly, the eight merchandise that didn’t get hacked had been those with the most important bounties.

The telephones from Apple and Google, value $200,000 every (plus a $50,000 bonus for kernel-level entry) weren’t breached.

Likewise, the $60,000-a-pop residence hubs from Meta, Amazon and Google stayed protected, together with the $60,000-each audio system from Apple, Amazon and Google.

The one $60,000-bounty that paid out was the one supplied by Sonos, whose speaker was attacked by three totally different groups and pwned every time. (Solely the primary staff had a novel chain of bugs, in order that they had been the one ones that netted the total $60,000).

Simply as fascinatingly, maybe, the merchandise that didn’t get pwned didn’t really survive any assaults, both.

The most certainly purpose for this, in fact, is that nobody goes to decide to getting into Pwn2Own, writing up a publication-quality report, and travelling to Toronto to face public scrutiny, live-streamed to their friends around the globe…

…until they’re fairly jolly positive that their hacking try goes to work out.

However there’s additionally the difficulty that there are bug-buying companies that compete with Development Micro’s Zero Day Initiative (ZDI), and that declare to supply a lot greater bounties.

So we don’t know whether or not Apple’s and Google’s telephones and audio system, for instance, went untested as a result of they genuinely had been safer, or just because any bugs found had been value extra elsewhere.

Zerodium. for instance, claims to pay “as much as” $2,500,000 for top-level Android safety holes, and $2,000,000 for holes in Apple’s iOS, albeit with the tough proviso that you simply don’t get to say what occurs to the bug or bugs you ship in.

ZDI, in distinction, goals to supply a accountable disclosure pathway for bug hunters.

The “code of silence” that bug finders are required to adjust to after handing over their reviews is there primarily in order that the small print might be shared privately and safely with the seller.

So, despite the fact that the distributors on this Pwn2Own paid out a complete of $989,750, in line with our calculations…

…that’s 63 fewer full-on, genuinely exploitable bugs left on the market that cybercriminals and rogue operators would possibly in any other case latch onto and exploit for evil.


Please enter your comment!
Please enter your name here