Friday, November 1, 2024
HomeBug BountyPwn2Own 2019 – Ethical Hackers Earned $315,000 for Hacking Galaxy S10, Xiaomi...

Pwn2Own 2019 – Ethical Hackers Earned $315,000 for Hacking Galaxy S10, Xiaomi Mi9, TP-Link and Netgear WiFi Router

Published on

Malware protection

In this first day, Ethical hackers earned $195,000 by exploiting the vulnerabilities that reside in the different products, In the second and final day of Pwn2Own Tokyo 2019, researchers made 6 attempts in various categories and earned $315,000 in total 2 days of this contest.

In the first entry of day 2, Team Fluoroacetate (Amat Cama and Richard Zhu) attempt to exploit the Samsung Galaxy S10 in the mobile category.

“Their rogue base station used a stack overflow to push their file onto the target handset. The successful demonstration earned them $50,000 and 5 Master of Pwn points and this is 3 rd time Samsung handset has been compromised via baseband”

- Advertisement - SIEM as a Service

In the next attempt, Fluoroacetate targeted the NETGEAR Nighthawk Smart WiFi Router (R6700) and successfully demonstrate the vulnerability.

In the next attempt, Pedro Ribeiro and Radek Domanski of team Flashback came back to target the WAN port of the TP-Link AC1750 Smart WiFi router.

They successfully exploit the bug using a stack overflow combined with a logic bug to gain code execution on the device that earned them $20,000 and one more points towards Master of Pwn.

In a total of 2 days contest, Team Flashback earned a total of $50,000 for four successful demonstrations.

Pedro Ribeiro of Team Flashback demonstration

Another Team from F-Secure Labs back to attack the WAN interface of the TP-Link AC1750 Smart WiFi router and they successfully demonstrate the combined command injection bug along with some insecure defaults to gain code execution on the device.

They also showed off their LED light skills by having the front of the router play “snake” for us. Style points asides, the successful demonstration earned them $20,000 and one Master of Pwn point.

In the next attempt, F-secure Team targeted the Xiaomi Mi9 handset via the NFC component.

” In order to exfiltrate a photo from the phone, they tapped it to their specially crafted NFC tag. That triggered a cross-site scripted (XSS) bug in the NFC component and sent a picture to a different phone they controlled.”

F-secure Team Final attempt earned them $30,000 and a total of $70,000 that take them to the second place of this contest.

Finally, Fluoroacetate holds the 18.5 points with $195,000 and retained their title of Master of Pwn.

Overall, we awarded more than $315,000 USD total over the two-day contest while purchasing 18 different bugs in the various products. ZDI said.

All the reported bugs in this contest have been notified to the respective vendors, now they have 90 days deadline to patch all these vulnerabilities that affected their products.

The next Pwn2Own event going to be conducted in Miami. Contest registration closes at 5:00 p.m. Eastern Standard Time on January 17th, 2020.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and Hacking News update.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS...

ATPC Cyber Forum to Focus on Next Generation Cybersecurity and Artificial Intelligence Issues

White House National Cyber Director, CEOs, Key Financial Services Companies, Congressional and Executive Branch...

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan...

Konni APT Hackers Attacking Organizations with New Spear-Phishing Tactics

The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS...

Hardcoded Creds in Popular Apps Put Millions of Android and iOS Users at Risk

Recent analysis has revealed a concerning trend in mobile app security: Many popular apps...

GHOSTPULSE Hides Within PNG File Pixel Structure To Evade Detections

Recent campaigns targeting victims through social engineering tactics utilize LUMMA STEALER with GHOSTPULSE as...