Day 1 at the world’s expensive hacking contest Pwn2Own Tokyo 2019, researcher hacked well-known products such as Sony TV, NETGEAR Router, TPLINK WiFi Router, Amazon Echo, Xiaomi Mi9, Galaxy S10 and earned $195,000 in a different category.
Pwn2Own is a live hacking contest, in which contestants are challenged to exploit widely-used software and mobile devices, and now it’s organized by Trend Micro’s Zero Day Initiative (ZDI) for ethical hackers and security researchers who have participated from different countries to find and exploit the zero-day vulnerability.
8 unique products participated in seven categories, the vendors offering USD 750,000 in cash and prizes available to the contestants.
This year, ZDI conducting this hacking contest for the second time. At the first event conducted in March, ZDI awarded a total of $545,000 to ethical hackers for reporting 19 unique zero-day bugs in Apple Safari, Microsoft Edge and Windows, VMware Workstation, Mozilla Firefox.
Awarded $195,000 in First Day
Fluoroacetate is a veteran of Pwn2Own, they have already won the first Pwn2Own that held on March 2019. in the event, they earned $375,000, laptops and a car over the contest and resulted in 36 Master of Pwn points.
A new team called “Team Flashback” (Pedro Ribeiro and Radek Domanski ) targetted the LAN interface of the NETGEAR Nighthawk Smart WiFi Router (R6700), and successfully exploit a stack-based buffer overflow to get a shell on the router that earned them $5,000 and 0.5 Master of Pwn points.
Flashback team also attempted to compromise the WAN interface of the NETGEAR Nighthawk Smart WiFi Router (R6700) in the Router category, in result they were able to remotely modify the router’s firmware such that their payload persisted across a factory reset which earned them $20,000 and 1 more Master of Pwn point.
In their final target of the first day, the LAN interface of the TP-Link AC1750 Smart WiFi router. Flashback team exploit the 3 different bugs and earned them $5,000 and .5 Master of Pwn points, in total $30,000 for the first day attempts by Flashback Team.
Researchers ( Mark Barnes, Toby Drew, Max Van Amerongen, and James Loureiro) from F-secure Labs made a final attempt of the first day, and they targeted the Xiaomi Mi9 handset in the Web Browser category, and they gained partial success.
They demonstrate a couple of chained logic bugs which is known to the respective vendor. But the team still receives $20,000 and 2 Master of Pwn points.
End of the first day, 3 teams have been earned $195,000 in total. We keep update you for the upcoming day targets and results. please stay tuned.