Wednesday, April 17, 2024

PWN2OWN 2019 (Day 1) – Ethical Hackers Earned $195,000 for Hacking Sony TV, Amazon Echo, Xiaomi Mi9, Galaxy S10

Day 1 at the world’s expensive hacking contest Pwn2Own Tokyo 2019, researcher hacked well-known products such as Sony TV, NETGEAR Router, TPLINK WiFi Router, Amazon Echo, Xiaomi Mi9, Galaxy S10 and earned $195,000 in a different category.

Pwn2Own is a live hacking contest, in which contestants are challenged to exploit widely-used software and mobile devices, and now it’s organized by Trend Micro’s Zero Day Initiative (ZDI) for ethical hackers and security researchers who have participated from different countries to find and exploit the zero-day vulnerability.

8 unique products participated in seven categories, the vendors offering USD 750,000 in cash and prizes available to the contestants.

This year, ZDI conducting this hacking contest for the second time. At the first event conducted in March, ZDI awarded a total of $545,000 to ethical hackers for reporting 19 unique zero-day bugs in Apple Safari, Microsoft Edge and Windows, VMware Workstation, Mozilla Firefox.

Awarded $195,000 in First Day

Fluoroacetate Team

On the first day, a team called Fluoroacetate (Amat Cama and Richard Zhu ) attempted to exploit Sony X800G TV, and this is the very first time Sony participate in this event. 

Fluoroacetate is a veteran of Pwn2Own, they have already won the first Pwn2Own that held on March 2019. in the event, they earned $375,000, laptops and a car over the contest and resulted in 36 Master of Pwn points. 

At the end of the attempt, Fluoroacetate gets a bind shell due to a JavaScript out-of-bounds (OOB) Read in the embedded web browser and earned USD 15,000 and 2 points.

In the next attempt, the Fluoroacetate team come back and targeted the Home Automation category, in which they selected Amazon Echo Show 5 as a target and used an integer overflow in JavaScript to compromise the device and take control that earned them $60,000 and 6 Master pwn points.

Fluoroacetate team

Again they returned and targeted the Samsung Q60 TV and they attempt was able to use an integer overflow in JavaScript to get a reverse shell from the television. Successful demonstration earned them $20,000 and 2 Master of Pwn points.

In other attempted they hacked Xiaomi Mi9 using a JavaScript bug that jumped the stack to exfiltrate a picture from the Xiaomi Mi9 and earned USD 20,000 and 2 additional Master of Pwn points.

exfiltrated picture from Xiaomi Mi9

In day 1’s Fluoroacetate team Final attempt, they targeted the Samsung Galaxy S10 via the NFC component by used a bug in JavaScript JIT followed by a Use After Free (UAF) to escape the sandbox and grab a picture of the phone which earned them $30,000 and Totally $145,000 in the first day.

Flashback Team

A new team called “Team Flashback” (Pedro Ribeiro and Radek Domanski ) targetted the LAN interface of the NETGEAR Nighthawk Smart WiFi Router (R6700), and successfully exploit a stack-based buffer overflow to get a shell on the router that earned them $5,000 and 0.5 Master of Pwn points.

Team FlashbackPedro Ribeiro and Radek Domanski

Flashback team also attempted to compromise the WAN interface of the NETGEAR Nighthawk Smart WiFi Router (R6700) in the Router category, in result they were able to remotely modify the router’s firmware such that their payload persisted across a factory reset which earned them $20,000 and 1 more Master of Pwn point.

In their final target of the first day, the LAN interface of the TP-Link AC1750 Smart WiFi router. Flashback team exploit the 3 different bugs and earned them $5,000 and .5 Master of Pwn points, in total $30,000 for the first day attempts by Flashback Team.

F-Secure Labs

Researchers ( Mark Barnes, Toby Drew, Max Van Amerongen, and James Loureiro) from F-secure Labs made a final attempt of the first day, and they targeted the Xiaomi Mi9 handset in the Web Browser category, and they gained partial success.

They demonstrate a couple of chained logic bugs which is known to the respective vendor. But the team still receives $20,000 and 2 Master of Pwn points.

End of the first day, 3 teams have been earned $195,000 in total. We keep update you for the upcoming day targets and results. please stay tuned.


Latest articles

LightSpy Hackers Target Indian Apple Device Users To Steal Sensitive Data

Hackers target Apple device users because they are perceived to be of higher social...

Trustifi’s Email Security Awareness Training – Empowering MSPs to Train & Protect Clients

In today's digital landscape, email security has become a critical concern for businesses of...

Personal Data Exposed in Massive Global Hack: Understanding the Implications & Guarding Privacy- Axios Security Group

In a digital age where information is the new currency, the recent global hack...

Ex-Security Engineer Jailed For Hacking Decentralized Cryptocurrency Exchanges

Ahmed exploited a vulnerability in a decentralized cryptocurrency exchange's smart contract by injecting fabricated...

Omni Hotels & Resorts Hack: Attackers have Stolen Customer Information

Omni Hotels & Resorts has revealed that it was the target of a recent...

Connect:fun Attacking Organizations Running Fortinet’s FortiClient EMS

A new exploit campaign has emerged, targeting organizations that utilize Fortinet’s FortiClient EMS.Dubbed...

TA558 Hackers Compromised 320+ Organizations’ FTP & SMTP Servers

TA558, a financially motivated threat actor identified in 2018, is targeting several countries but...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Top 3 SME Attack Vectors

Securing the Top 3 SME Attack Vectors

Cybercriminals are laying siege to small-to-medium enterprises (SMEs) across sectors. 73% of SMEs know they were breached in 2023. The real rate could be closer to 100%.

  • Stolen credentials
  • Phishing
  • Exploitation of vulnerabilities

Related Articles