The hacking tournament Pwn2Own Tokyo 2019, traditionally held as part of the PacSec conference and organized by the Trend Micro Zero Day Initiative (ZDI), has come to an end.This is one of two annual Pwn2Own hacking competitions. The first is held in North America in the spring and focuses exclusively on hacking browsers, operating systems, server solutions, and virtual machines. The second is held in Tokyo in the fall and is dedicated to mobile technology. In addition, last year, the organizers of Pwn2Own for the first time expanded the autumn phase to include IoT devices for smart homes.
“This year, the competition was the largest Pwn2Own tournament in Tokyo, with three groups competing for eight unique products in seven categories. The prize pool was $ 750,000 in cash and prizes available to participants, and, of course, not one Pwn2Own contest could do without the coronation of Master of Pwn (MoP) and the award of the coveted MoP jacket”, – say organizers of Pwn2Own Tokyo 2019.
The competition’s prize pool was $750,000 this year, and the list of goals for Pwn2Own Tokyo was the following:
- Xiaomi Mi 9
- Samsung Galaxy S10
- Huawei P30
- Google Pixel 3 XL
- Apple iPhone XS Max
- Oppo F11 Pro
- Apple Watch Series 4
- Oculus Quest (64Gb)
- Portal by Facebook
- Amazon Echo Show 5
- Google Nest Hub Max
- Amazon Cloud Cam Security Camera
- Nest Cam IQ Indoor
- Sony X800G Series – 43″
- Samsung Q60 Series – 43″
- TP-Link AC1750 Smart WiFi Router
- NETGEAR Nighthawk Smart WiFi Router (R6700)
On the first day of the competition, the Fluoroacetate was a leading team, it consisted of Amat Cama and Richard Zhu. This team won the last two Pwn2Own competitions (in March 2019 and November 2018) and Kama and Zhu are currently considered one of the best hackers in the world and the most successful Pwn2Own participants. This year, experts successfully compromised the Amazon Echo column, and successfully hacked Sony and Samsung smart TVs, and the Xiaomi Mi9 smartphone.
The same team earned another $60,000 for taking control of an Amazon Echo device, which was implemented through integer overflow. Another $15,000 came from getting a reverse shell on the Samsung Q60 TV, also realized through integer overflow.
In addition, Kama and Zhu earned $20,000 when they were able to extract the image from the Xiaomi Mi9 smartphone, simply by going to a specially created site. They received another $30,000 for stealing images from the Samsung Galaxy S10 via NFC.Also on the first day the Team Flashback did a good job, which included Pedro Ribeiro and Radek Domanski. They managed to take control of the NETGEAR Nighthawk Smart WiFi (R6700) router through a LAN interface, earning $5,000. Another $20,000 to the team was brought by hacking the same router through the WAN interface and remotely changing its firmware, which allowed us to get a stable presence on the device that can withstand even a factory reset.
In addition, Team Flashback received $5,000 for an exploit chain that allows running code on the TP-Link AC1750 Smart WiFi router via the LAN interface.
The last team represented F-Secure Labs and tried to hack into the TP-Link router and the Xiaomi Mi9 smartphone. Both attempts were only partially successful, but they still earned $20,000 for hackers. Experts have shown that they can extract a photo from a Xiaomi smartphone, but the manufacturer already knew some of the vulnerabilities that they used.
On the second day of the competition, out of seven planned hacking attempts, four were completely successful.
The best thing again was the Fluoroacetate team, which earned $50,000 for downloading an arbitrary file to the Samsung Galaxy S10 (by connecting the device to their fraudulent base station). Kama and Zhu also made a second attempt to hack the Galaxy S10 through a browser, but they used a vulnerability that was already used by the previous participant.
As a result, Zhu and Kama earned a total of $195,000 in two days Pwn2Own, and for the third time in a row were declared winners of the competition, receiving the title of Master of Pwn.
Team Flashback’s Ribeiro and Domansky earned $20,000 for hacking the TP-Link AC1750 through a WAN interface. The same router was hacked by the F-Secure Labs team, which also earned $20,000. Both teams were able to execute arbitrary code on the device.
The F-Secure team also received $30,000 for an exploit targeting the Xiaomi Mi9. They used the XSS vulnerability in the NFC component to extract data by simply touching a specially crafted NFC tag.
In total, in two days, Pwn2Own participants were able to earn $315,000 for exploiting 18 different vulnerabilities, and all of them have already been disclosed to manufacturers. Now vendors have 90 days to correct deficiencies.