“This year, the competition was the largest Pwn2Own tournament in Tokyo, with three groups competing for eight unique products in seven categories. The prize pool was $ 750,000 in cash and prizes available to participants, and, of course, not one Pwn2Own contest could do without the coronation of Master of Pwn (MoP) and the award of the coveted MoP jacket”, – say organizers of Pwn2Own Tokyo 2019.
The competition’s prize pool was $750,000 this year, and the list of goals for Pwn2Own Tokyo was the following:
Smartphones:
Wearable devices:
Home automation:
TV sets
Routers:
On the first day of the competition, the Fluoroacetate was a leading team, it consisted of Amat Cama and Richard Zhu. This team won the last two Pwn2Own competitions (in March 2019 and November 2018) and Kama and Zhu are currently considered one of the best hackers in the world and the most successful Pwn2Own participants. This year, experts successfully compromised the Amazon Echo column, and successfully hacked Sony and Samsung smart TVs, and the Xiaomi Mi9 smartphone.
As a result, Fluoroacetate earned $15,000 for hacking the Sony X800G TV, a JavaScript out-of-bounds read error in the built-in browser. An attacker can use this bug to get a shell on the device, convincing the victim to visit a malicious site through the TV’s built-in browser.
The same team earned another $60,000 for taking control of an Amazon Echo device, which was implemented through integer overflow. Another $15,000 came from getting a reverse shell on the Samsung Q60 TV, also realized through integer overflow.
In addition, Kama and Zhu earned $20,000 when they were able to extract the image from the Xiaomi Mi9 smartphone, simply by going to a specially created site. They received another $30,000 for stealing images from the Samsung Galaxy S10 via NFC.
Also on the first day the Team Flashback did a good job, which included Pedro Ribeiro and Radek Domanski. They managed to take control of the NETGEAR Nighthawk Smart WiFi (R6700) router through a LAN interface, earning $5,000. Another $20,000 to the team was brought by hacking the same router through the WAN interface and remotely changing its firmware, which allowed us to get a stable presence on the device that can withstand even a factory reset.In addition, Team Flashback received $5,000 for an exploit chain that allows running code on the TP-Link AC1750 Smart WiFi router via the LAN interface.
The last team represented F-Secure Labs and tried to hack into the TP-Link router and the Xiaomi Mi9 smartphone. Both attempts were only partially successful, but they still earned $20,000 for hackers. Experts have shown that they can extract a photo from a Xiaomi smartphone, but the manufacturer already knew some of the vulnerabilities that they used.
On the second day of the competition, out of seven planned hacking attempts, four were completely successful.
The best thing again was the Fluoroacetate team, which earned $50,000 for downloading an arbitrary file to the Samsung Galaxy S10 (by connecting the device to their fraudulent base station). Kama and Zhu also made a second attempt to hack the Galaxy S10 through a browser, but they used a vulnerability that was already used by the previous participant.
As a result, Zhu and Kama earned a total of $195,000 in two days Pwn2Own, and for the third time in a row were declared winners of the competition, receiving the title of Master of Pwn.
Team Flashback’s Ribeiro and Domansky earned $20,000 for hacking the TP-Link AC1750 through a WAN interface. The same router was hacked by the F-Secure Labs team, which also earned $20,000. Both teams were able to execute arbitrary code on the device.
Read also: Pwn2Own organizers will offer participants hack of ICS systems
The F-Secure team also received $30,000 for an exploit targeting the Xiaomi Mi9. They used the XSS vulnerability in the NFC component to extract data by simply touching a specially crafted NFC tag.
In total, in two days, Pwn2Own participants were able to earn $315,000 for exploiting 18 different vulnerabilities, and all of them have already been disclosed to manufacturers. Now vendors have 90 days to correct deficiencies.
About News-bpudepi.today News-bpudepi.today pop-ups can not launch out of the blue. If you have actually…
About Doguhtam.xyz Doguhtam.xyz pop-ups can not expose out of nowhere. If you have clicked some…
About News-xlixoti.com News-xlixoti.com pop-ups can not introduce out of nowhere. If you have actually clicked…
About Ducesousightion.com Ducesousightion.com pop-ups can not introduce out of the blue. If you have actually…
About News-xlabica.live News-xlabica.live pop-ups can not launch out of the blue. If you have actually…
About Mergechain.co.in Mergechain.co.in pop-ups can not expose out of the blue. If you have clicked…