Monday, November 25, 2024
HomeBug BountyPwn2Own 2019 – Ethical Hackers Earned $315,000 for Hacking Galaxy S10, Xiaomi...

Pwn2Own 2019 – Ethical Hackers Earned $315,000 for Hacking Galaxy S10, Xiaomi Mi9, TP-Link and Netgear WiFi Router

Published on

In this first day, Ethical hackers earned $195,000 by exploiting the vulnerabilities that reside in the different products, In the second and final day of Pwn2Own Tokyo 2019, researchers made 6 attempts in various categories and earned $315,000 in total 2 days of this contest.

In the first entry of day 2, Team Fluoroacetate (Amat Cama and Richard Zhu) attempt to exploit the Samsung Galaxy S10 in the mobile category.

“Their rogue base station used a stack overflow to push their file onto the target handset. The successful demonstration earned them $50,000 and 5 Master of Pwn points and this is 3 rd time Samsung handset has been compromised via baseband”

- Advertisement - SIEM as a Service

In the next attempt, Fluoroacetate targeted the NETGEAR Nighthawk Smart WiFi Router (R6700) and successfully demonstrate the vulnerability.

In the next attempt, Pedro Ribeiro and Radek Domanski of team Flashback came back to target the WAN port of the TP-Link AC1750 Smart WiFi router.

They successfully exploit the bug using a stack overflow combined with a logic bug to gain code execution on the device that earned them $20,000 and one more points towards Master of Pwn.

In a total of 2 days contest, Team Flashback earned a total of $50,000 for four successful demonstrations.

Pedro Ribeiro of Team Flashback demonstration

Another Team from F-Secure Labs back to attack the WAN interface of the TP-Link AC1750 Smart WiFi router and they successfully demonstrate the combined command injection bug along with some insecure defaults to gain code execution on the device.

They also showed off their LED light skills by having the front of the router play “snake” for us. Style points asides, the successful demonstration earned them $20,000 and one Master of Pwn point.

In the next attempt, F-secure Team targeted the Xiaomi Mi9 handset via the NFC component.

” In order to exfiltrate a photo from the phone, they tapped it to their specially crafted NFC tag. That triggered a cross-site scripted (XSS) bug in the NFC component and sent a picture to a different phone they controlled.”

F-secure Team Final attempt earned them $30,000 and a total of $70,000 that take them to the second place of this contest.

Finally, Fluoroacetate holds the 18.5 points with $195,000 and retained their title of Master of Pwn.

Overall, we awarded more than $315,000 USD total over the two-day contest while purchasing 18 different bugs in the various products. ZDI said.

All the reported bugs in this contest have been notified to the respective vendors, now they have 90 days deadline to patch all these vulnerabilities that affected their products.

The next Pwn2Own event going to be conducted in Miami. Contest registration closes at 5:00 p.m. Eastern Standard Time on January 17th, 2020.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and Hacking News update.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Threat Actors Exploit Google Docs And Weebly Services For Malware Attacks

Phishing attackers used Google Docs to deliver malicious links, bypassing security measures and redirecting...

Python NodeStealer: Targeting Facebook Business Accounts to Harvest Login Credentials

The Python-based NodeStealer, a sophisticated info-stealer, has evolved to target new information and employ...

XSS Vulnerability in Bing.com Let Attackers Send Crafted Malicious Requests

A significant XSS vulnerability was recently uncovered in Microsoft’s Bing.com, potentially allowing attackers to...

Meta Removed 2 Million Account Linked to Malicious Activities

 Meta has announced the removal of over 2 million accounts connected to malicious activities,...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Wireshark 4.4.2 Released: What’s New!

The Wireshark Foundation has officially announced the release of Wireshark 4.4.2, the latest version...

ANY.RUN Sandbox Automates Interactive Analysis of Complex Cyber Attack Chains

ANY.RUN, a well-known interactive malware analysis platform, has announced Smart Content Analysis, an enhancement...

Rekoobe Backdoor In Open Directories Possibly Attacking TradingView Users

APT31, using the Rekoobe backdoor, has been observed targeting TradingView, a popular financial platform,...