Being held at Zero Day Initiative (ZDI)’s Toronto workplace, this 12 months’s Pwn2Own kicked off easily on sixth December 2022 with contestants taking part each in individual and remotely. Earlier than we dive into the proceedings on the occasion days, let’s speak about what Pwn2Own is and the way it began.
What’s Pwn2Own?
Pwn2Own is a hacking contest the place safety researchers are invited to hack into units that IT {hardware} and software program producers consider are safe.
At Pwn2Own Toronto 2022, contestants would have targets comparable to cellphones, wi-fi routers, house automation hubs, printers, good audio system, and NAS units for hacking into.
For his or her efforts leading to a profitable hack, the individuals are rewarded with prize cash.
Beginning in April 2007 in the course of the CanSecWest convention in Vancouver, Pwn2Own has come a protracted strategy to turn into the extremely respected competitors that it’s. It started when safety researcher Dragos Ruiu wished to place Apple’s impenetrable safety system to the take a look at and ever since, the competitors has adopted an analogous mission assertion.
Not solely has it allowed organizations to normalize bug reporting however has additionally modified how the business seems to be at safety.
This fall’s Pwn2Own occasion launched a brand new class known as “SOHO Smashup” (Small Workplace/Dwelling Workplace) to include a real-world setting the place a menace actor would exploit a house workplace.
A contestant could be required to select a router and start exploiting the WAN interface after which they might pivot to the LAN, the place a second gadget is hacked comparable to a NAS equipment, a wise speaker, or a printer.
DAY 1 PROCEEDINGS
The first day of the competitors welcomed individuals who received a complete of $400,000 for exploits concentrating on telephones, printers, routers, and NAS units.
The Devcore staff which is a recurring contestant within the competitors received the best single reward of $100,000 within the SOHO Smashup class for hacking a MikroTik router and a Canon printer related to it.
Coming in second with a reward of $50,000 was the staff Neodyme which efficiently hacked a Netgear router and an HP printer.
In the meantime, the Star Labs staff additionally earned $50,000 for hacking a Samsung Galaxy S22 smartphone. The identical gadget was additionally hacked by a participant named Chim who earned $25,000.
Researchers at industrial and IoT cybersecurity agency Claroty earned $40,000 for hacking a Synology DiskStation NAS gadget.
There have been additionally a number of $20,000 rewards for hacking Canon, HP, Lexmark printers, TP-Hyperlink, and Synology routers. Two groups earned $10,000 every for Synology NAS and HP printer hacks.
Excluding the SOHO Smashup entry, Netgear router exploits earned smaller rewards. The Netgear exploits by some contestants together with Tenable have been neutralized simply days earlier than the competitors on account of a last-minute hotfix launched by the seller.
With 26 contestants signing up for 66 exploits, ZDI determined that the complete money prize could be awarded to the primary winner of every goal, with subsequent exploits getting 50% of the prize cash.
DAY 2 PROCEEDINGS
On the second day of the competitors, individuals earned a complete of greater than $280,000 for his or her exploits. A big sum of the whole quantity was earned by concentrating on the good speaker, particular vulnerabilities within the Sonos One good audio system.
$60,000 went to a staff from Qrious Safe for hacking a Sonos One speaker whereas $22,500 went to the Star Labs staff for an exploit that concerned concentrating on one new and one beforehand recognized flaw.
The Bugscale staff earned $37,500 for a SOHO Smashup exploit concentrating on a Synology router and an HP printer the place once more, new and beforehand recognized bugs have been used.
One other important reward was earned by researcher Luca Moro, who was awarded $40,000 for a WD My Cloud Professional hack within the NAS class. Interrupt Labs earned $25,000 for hacking a Samsung Galaxy S22 cellphone.
The checklist of units hacked on the second day of Pwn2Own, for which individuals earned between $1,250 and $10,000, contains HP, Lexmark, Canon printers, Netgear, Synology, and TP-Hyperlink routers.
ZDI introduced {that a} whole of $681,000 was paid out within the first two days for 43 new and distinctive vulnerabilities. Because the occasion progresses efficiently, we sit up for it serving as a beacon to enhance the connection between distributors and impartial researchers.
