You’ve in all probability heard of Pwn2Own, a hacking contest that began life alongside the annual CanSecWest cybersecurity occasion in Vancouver, Canada.
Pwn2Own is now a multi-million “hackers’ model” in its personal proper, having been purchased up by anti-virus outfit Pattern Micro and prolonged to cowl many extra varieties of bug than simply browsers and desktop working techniques.
The identify, in case you’re questioning, is shorthand for “pwn it to personal it”, the place pwn (pronounced “pone”) is hacker-speak for “take management by exploiting a safety gap”, and personal actually means “have authorized title over”.
Merely put: hack into it and you’ll take it residence.
In truth, even within the Pwn2Own Toronto 2022 contest, the place the money quantities of the prizes far exceeded the worth of the units as much as be hacked, winners acquired to take residence the precise equipment they broke into, thus retaining the unique, literal sense of the competitors.
Even should you’ve simply received $100,000 for hacking right into a networked printer by hacking your means via a small-business router first (because the workforce that ended up on the high of the general leaderboard managed to do), taking residence the precise units is a neat reminder of a job effectively finished.
Lately, when hacking {hardware} resembling routers or printers which have their very own shows or blinking lights, researchers will show their pwnership with amusing side-effects resembling morse code messages through LEDs, or displaying memetic movies resembling a well-known music by a well-known Eighties pop crooner. The hacked gadget thus acts as its personal historic documentary.
Hacking (the great type)
We mentioned “a job effectively finished” above, as a result of regardless that you want to suppose like a cybercriminal to win at Pwn2Own, given that you simply’re making an attempt to generate a fully-working distant code execution assault {that a} criminal would like to find out about, after which to point out your assault working towards a present and fully-patched system…
…the final word objective of a creating profitable “assault” is accountable disclosure, and thus higher defences for everybody.
To enter the competitors and win a prize, you’re agreeing not solely at hand over your exploit code to the gadget vendor or distributors who put up the prize cash, but in addition to offer a white paper that explains the exploit within the form of element that may assist the seller patch it shortly and (you hope) reliably.
The tip-of-year Pwn2Own is a peripatetic form of occasion, having variously beem held in locations as far aside as Aoyama in Tokyo, Amsterdam within the Netherlands, and Austin in Texas.
It was initially often called the “cell phone” model of Pwn2Own, however the Toronto 2022 occasion invited contestants to hack in six essential classes, of which only one included cell phones.
The units put ahead by their distributors, and the prize cash provided for profitable hacks, appeared like this:
HACK A PHONE.. AND WIN: Samsung Galaxy S22 $50,000 Google Pixel 6 $200,000 Apple iPhone 13 $200,000 HACK A SOHO ROUTER.. AND WIN: TPLink AX1800 $20,000 ($5000 if through LAN) NETGEAR RAX30 $20,000 ($5000 if through LAN) Synology RT6600ax $20,000 ($5000 if through LAN) Cisco C921-4P $30,000 ($15,000 if through LAN) Microtik RB2011 $30,000 ($15,000 if through LAN) Ubiquiti EdgeRouter $30,000 ($15,000 if through LAN) HACK A HOME HUB.. AND WIN: Meta Portal Go $60,000 Amazon Echo Present 15 $60,000 Google Nest Hub Max $60,000 HACK A NETWORK PRINTER.. AND WIN: HP Colour LaserJet Professional $20,000 Lexmark MC3224 $20,000 Lexmark MC3224i $20,000 Canon imageClass MF743Cdw $20,000 HACK A SPEAKER.. AND WIN: Sonos One Residence Speaker $60,000 Apple HomePod Mini $60,000 Amazon Echo Studio $60,000 Google Nest Studio $60,000 HACK A NAS BOX.. AND WIN: Synology DiskStation $40,000 WD My Cloud Professional PR4100 $40,000
On this 12 months’s occasion, the organisers went for extra-excitement hacks referred to as Smashups – a bit like a baseball workforce agreeing prematurely that any double play (two outs directly) within the subsequent inning will instantly rely as three outs and end the inning… however with the draw back that any single outs on their very own received’t rely in any respect.
Smashups had been value as much as $100,000 suddenly, however you needed to declare your intention up entrance after which hack one of many community units by breaking in via the router first, adopted by pivoting (within the jargon) instantly from the router into the inner gadget.
Hacking the router through the WAN after which individually hacking, say, one of many printers, wouldn’t rely as a Smashup – you needed to decide to the all-in-one-chain prematurely.
Miss the router and also you wouldn’t even get an opportunity on the printer; hack the router however miss the printer and also you’d lose what you in any other case may have received by pwning the router by itself.
In the long run, eight totally different groups of researchers determined to again themselves to go for the superbounties obtainable via Smashups…
…and 6 of them succeeded in getting in via the router after which onto a printer.
Solely one of many Smashup groups geared toward something apart from a printer as soon as inside. The Qrious Safety duo from Vietnam had a go on the Western Digital NAS through a NETGEAR router, however didn’t get all the best way to their goal inside the 30 minute restrict imposed by the foundations of the competitors.
And the winners had been…
So as to add a poker-like aspect of luck to the competition, and to keep away from arguments about who deserves essentially the most recognition when two groups simply occur to search out the identical bug, the groups go into bat in a randomly determined sequence.
Merely put, if two groups depend on the identical bug someplace of their assault, the one which went first scoops the complete money prize.
Anybody else utilizing the identical bug will get the identical leaderboard factors, however solely 50% of the money reward.
Consequently, the outright winners received’t essentially earn essentially the most cash – in the identical form of means that it’s doable to cycle to outright victory within the Tour de France with out ever profitable a person stage.
This 12 months, the Grasp of Pwn (high place finishers do get a winner’s jersey, however not like Le Tour, it’s not yellow, and it’s technically a jacket) did win essentially the most cash, with $142,000.
However the STAR Labs workforce from Singapore, who ended up simply exterior the medals in fourth place within the Normal Classification standings, had the joyful comiseration of taking residence the next-biggest paycheck, with $97,500.
In case you’re questioning, the highest three locations had been taken by company groups for whom bug-hunting and penetration testing is a day job:
1. DEVCORE (18.5 leaderboard factors plus $142,000). This workforce works for a Taiwanese red-teaming and cybersecurity firm whose official web site contains employees identified solely by mysterious names resembling Angelboy, CB and Meh.
2. NCC Group EDG (16.5 factors plus $82,500). This workforce comes from the devoted exploit improvement group (EDG) of a worldwide cybersecurity consultancy initially spun off in 1999 from the UK authorities’s Nationwide Laptop Centre.
3. Viettel Safety (15.5 factors plus $78,750). That is the cybersecurity group of Vietnam’s state-owned telecommunications firm, the nation’s largest.
THE MAILLOT JAUNE OF PWN2OWN (EVEN IF ONLY THE TEXT IS YELLOW)
Who didn’t get hacked?
Fascinatingly, the eight merchandise that didn’t get hacked had been those with the largest bounties.
The telephones from Apple and Google, value $200,000 every (plus a $50,000 bonus for kernel-level entry) weren’t breached.
Likewise, the $60,000-a-pop residence hubs from Meta, Amazon and Google stayed secure, together with the $60,000-each audio system from Apple, Amazon and Google.
The one $60,000-bounty that paid out was the one provided by Sonos, whose speaker was attacked by three totally different groups and pwned every time. (Solely the primary workforce had a novel chain of bugs, in order that they had been the one ones that netted the complete $60,000).
Simply as fascinatingly, maybe, the merchandise that didn’t get pwned didn’t truly survive any assaults, both.
The most certainly motive for this, in fact, is that nobody goes to decide to coming into Pwn2Own, writing up a publication-quality report, and travelling to Toronto to face public scrutiny, live-streamed to their friends around the globe…
…until they’re fairly jolly positive that their hacking try goes to work out.
However there’s additionally the problem that there are bug-buying providers that compete with Pattern Micro’s Zero Day Initiative (ZDI), and that declare to supply a lot increased bounties.
So we don’t know whether or not Apple’s and Google’s telephones and audio system, for instance, went untested as a result of they genuinely had been safer, or just because any bugs found had been value extra elsewhere.
Zerodium. for instance, claims to pay “as much as” $2,500,000 for top-level Android safety holes, and $2,000,000 for holes in Apple’s iOS, albeit with the difficult proviso that you simply don’t get to say what occurs to the bug or bugs you ship in.
ZDI, in distinction, goals to supply a accountable disclosure pathway for bug hunters.
The “code of silence” that bug finders are required to adjust to after handing over their stories is there primarily in order that the small print could be shared privately and safely with the seller.
So, regardless that the distributors on this Pwn2Own paid out a complete of $989,750, in line with our calculations…
…that’s 63 fewer full-on, genuinely exploitable bugs left on the market that cybercriminals and rogue operators would possibly in any other case latch onto and exploit for evil.
