You’ve most likely heard of Pwn2Own, a hacking contest that began life alongside the annual CanSecWest cybersecurity occasion in Vancouver, Canada.
Pwn2Own is now a multi-million “hackers’ model” in its personal proper, having been purchased up by anti-virus outfit Development Micro and prolonged to cowl many extra forms of bug than simply browsers and desktop working programs.
The identify, in case you’re questioning, is shorthand for “pwn it to personal it”, the place pwn (pronounced “pone”) is hacker-speak for “take management by exploiting a safety gap”, and personal actually means “have authorized title over”.
Merely put: hack into it and you may take it house.
Actually, even within the Pwn2Own Toronto 2022 contest, the place the money quantities of the prizes far exceeded the worth of the gadgets as much as be hacked, winners bought to take house the precise package they broke into, thus retaining the unique, literal sense of the competitors.
Even in case you’ve simply received $100,000 for hacking right into a networked printer by hacking your method by way of a small-business router first (because the staff that ended up on the high of the general leaderboard managed to do), taking house the precise gadgets is a neat reminder of a job effectively executed.
Nowadays, when hacking {hardware} akin to routers or printers which have their very own shows or blinking lights, researchers will show their pwnership with amusing side-effects akin to morse code messages by way of LEDs, or displaying memetic movies akin to a well-known tune by a well-known Eighties pop crooner. The hacked gadget thus acts as its personal historic documentary.
Hacking (the nice type)
We mentioned “a job effectively executed” above, as a result of although you must suppose like a cybercriminal to win at Pwn2Own, given that you simply’re making an attempt to generate a fully-working distant code execution assault {that a} criminal would like to find out about, after which to point out your assault working in opposition to a present and fully-patched system…
…the last word purpose of a creating successful “assault” is accountable disclosure, and thus higher defences for everybody.
To enter the competitors and win a prize, you’re agreeing not solely at hand over your exploit code to the gadget vendor or distributors who put up the prize cash, but in addition to offer a white paper that explains the exploit within the kind of element that may assist the seller patch it rapidly and (you hope) reliably.
The top-of-year Pwn2Own is a peripatetic kind of occasion, having variously beem held in locations as far aside as Aoyama in Tokyo, Amsterdam within the Netherlands, and Austin in Texas.
It was initially generally known as the “cell phone” model of Pwn2Own, however the Toronto 2022 occasion invited contestants to hack in six essential classes, of which only one included cellphones.
The gadgets put ahead by their distributors, and the prize cash provided for profitable hacks, appeared like this:
HACK A PHONE.. AND WIN: Samsung Galaxy S22 $50,000 Google Pixel 6 $200,000 Apple iPhone 13 $200,000 HACK A SOHO ROUTER.. AND WIN: TPLink AX1800 $20,000 ($5000 if by way of LAN) NETGEAR RAX30 $20,000 ($5000 if by way of LAN) Synology RT6600ax $20,000 ($5000 if by way of LAN) Cisco C921-4P $30,000 ($15,000 if by way of LAN) Microtik RB2011 $30,000 ($15,000 if by way of LAN) Ubiquiti EdgeRouter $30,000 ($15,000 if by way of LAN) HACK A HOME HUB.. AND WIN: Meta Portal Go $60,000 Amazon Echo Present 15 $60,000 Google Nest Hub Max $60,000 HACK A NETWORK PRINTER.. AND WIN: HP Colour LaserJet Professional $20,000 Lexmark MC3224 $20,000 Lexmark MC3224i $20,000 Canon imageClass MF743Cdw $20,000 HACK A SPEAKER.. AND WIN: Sonos One House Speaker $60,000 Apple HomePod Mini $60,000 Amazon Echo Studio $60,000 Google Nest Studio $60,000 HACK A NAS BOX.. AND WIN: Synology DiskStation $40,000 WD My Cloud Professional PR4100 $40,000
On this yr’s occasion, the organisers went for extra-excitement hacks known as Smashups – a bit like a baseball staff agreeing upfront that any double play (two outs directly) within the subsequent inning will instantly depend as three outs and end the inning… however with the draw back that any single outs on their very own received’t depend in any respect.
Smashups had been price as much as $100,000 suddenly, however you needed to declare your intention up entrance after which hack one of many community gadgets by breaking in by way of the router first, adopted by pivoting (within the jargon) immediately from the router into the interior gadget.
Hacking the router by way of the WAN after which individually hacking, say, one of many printers, wouldn’t depend as a Smashup – you needed to decide to the all-in-one-chain upfront.
Miss the router and also you wouldn’t even get an opportunity on the printer; hack the router however miss the printer and also you’d lose what you in any other case may have received by pwning the router by itself.
Ultimately, eight completely different groups of researchers determined to again themselves to go for the superbounties out there by way of Smashups…
…and 6 of them succeeded in getting in by way of the router after which onto a printer.
Solely one of many Smashup groups geared toward something aside from a printer as soon as inside. The Qrious Safety duo from Vietnam had a go on the Western Digital NAS by way of a NETGEAR router, however didn’t get all the best way to their goal inside the 30 minute restrict imposed by the foundations of the competitors.
And the winners had been…
So as to add a poker-like component of luck to the competition, and to keep away from arguments about who deserves probably the most recognition when two groups simply occur to seek out the identical bug, the groups go into bat in a randomly determined sequence.
Merely put, if two groups depend on the identical bug someplace of their assault, the one which went first scoops the total money prize.
Anybody else utilizing the identical bug will get the identical leaderboard factors, however solely 50% of the money reward.
Consequently, the outright winners received’t essentially earn probably the most cash – in the identical kind of method that it’s potential to cycle to outright victory within the Tour de France with out ever successful a person stage.
This yr, the Grasp of Pwn (high place finishers do get a winner’s jersey, however in contrast to Le Tour, it’s not yellow, and it’s technically a jacket) did win probably the most cash, with $142,000.
However the STAR Labs staff from Singapore, who ended up simply outdoors the medals in fourth place within the Normal Classification standings, had the completely happy comiseration of taking house the next-biggest paycheck, with $97,500.
In case you’re questioning, the high three locations had been taken by company groups for whom bug-hunting and penetration testing is a day job:
1. DEVCORE (18.5 leaderboard factors plus $142,000). This staff works for a Taiwanese red-teaming and cybersecurity firm whose official web site contains employees recognized solely by mysterious names akin to Angelboy, CB and Meh.
2. NCC Group EDG (16.5 factors plus $82,500). This staff comes from the devoted exploit improvement group (EDG) of a world cybersecurity consultancy initially spun off in 1999 from the UK authorities’s Nationwide Pc Centre.
3. Viettel Safety (15.5 factors plus $78,750). That is the cybersecurity group of Vietnam’s state-owned telecommunications firm, the nation’s largest.
THE MAILLOT JAUNE OF PWN2OWN (EVEN IF ONLY THE TEXT IS YELLOW)
Who didn’t get hacked?
Fascinatingly, the eight merchandise that didn’t get hacked had been those with the largest bounties.
The telephones from Apple and Google, price $200,000 every (plus a $50,000 bonus for kernel-level entry) weren’t breached.
Likewise, the $60,000-a-pop house hubs from Meta, Amazon and Google stayed secure, together with the $60,000-each audio system from Apple, Amazon and Google.
The one $60,000-bounty that paid out was the one provided by Sonos, whose speaker was attacked by three completely different groups and pwned every time. (Solely the primary staff had a novel chain of bugs, so that they had been the one ones that netted the total $60,000).
Simply as fascinatingly, maybe, the merchandise that didn’t get pwned didn’t truly survive any assaults, both.
The most probably motive for this, after all, is that nobody goes to decide to getting into Pwn2Own, writing up a publication-quality report, and travelling to Toronto to face public scrutiny, live-streamed to their friends around the globe…
…except they’re fairly jolly certain that their hacking try goes to work out.
However there’s additionally the problem that there are bug-buying companies that compete with Development Micro’s Zero Day Initiative (ZDI), and that declare to supply a lot greater bounties.
So we don’t know whether or not Apple’s and Google’s telephones and audio system, for instance, went untested as a result of they genuinely had been safer, or just because any bugs found had been price extra elsewhere.
Zerodium. for instance, claims to pay “as much as” $2,500,000 for top-level Android safety holes, and $2,000,000 for holes in Apple’s iOS, albeit with the difficult proviso that you simply don’t get to say what occurs to the bug or bugs you ship in.
ZDI, in distinction, goals to supply a accountable disclosure pathway for bug hunters.
The “code of silence” that bug finders are required to adjust to after handing over their experiences is there primarily in order that the main points might be shared privately and safely with the seller.
So, although the distributors on this Pwn2Own paid out a complete of $989,750, in accordance with our calculations…
…that’s 63 fewer full-on, genuinely exploitable bugs left on the market that cybercriminals and rogue operators may in any other case latch onto and exploit for evil.
