The first Toronto edition of Trend Micro’s Pwn2Own hacking contest began Tuesday, with individuals or teams from a number of countries attempting to break into consumer products in hopes of winning a share of hundreds of thousands of dollars in prizes.
Within two hours, two teams had each won US$20,000. By the end of the day US$400,000 had been awarded for the discovery of 26 bugs.
“This is event is going to be our largest ever, with 26 teams attempting 66 exploits against various targets,” Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, said in an interview.
Held at Trend Micro’s Toronto office, it is scheduled to last four days.
Entrants — who will try to crack home-office or mobile devices by creating unique exploits — will participate either on-premises or remotely from a number of countries, including Canada, the U.S., Germany, France, the Netherlands, Vietnam, and South Korea.
They are trying to break into a Canon multi-function printer, a TP-Link WiFi router, a Sonos wireless speaker, a Samsung Galaxy S22 smart phone, and more.
First started in 2007 at Vancouver’s CanSec West conference — and a regular feature there ever since — the Pwn2Own contest challenges white hat hackers to break into devices that IT hardware and software manufacturers believe are secure. Targets, announced before the contest so participants can prepare, can range from browsers to a Tesla 3. In most cases, the team or person that breaks into the device gets to own it — hence the name of the contest — and/or win a prize because Trend Micro purchases the exploit. Vendors learn about the weaknesses their products have.
And entrants have to work to win. They have three five-minute attempts to demonstrate their exploit by completely taking over a system. “It’s not just proof of concept code or not just showing de-bugging,” Childs said. “They have to show real code execution on the target.”
If successful, the winner goes into a physical or virtual back room to give judges details of their work, to prove it really is a zero-day unknown exploit. In addition, the product’s manufacturer has to verify on the spot that it hasn’t heard of the exploit before. Only then is a winner officially declared.
For the Toronto event, prizes from US$5,000 to US$100,000 for each exploit are available. Childs thinks US$1 million may be awarded this week.
In addition to Toronto, Pwn2Own contests were held this year in Vancouver and Miami. Each contest has a theme. Traditionally, Vancouver focuses on enterprise products including operating systems. Miami’s theme was industrial controllers and SCADA devices.
In April, participants at the Miami event won US$400,000 for demonstrating 26 exploits and bug collisions. In May, Vancouver participants won US$1.15 million for showing 25 unique zero day exploits.
Childs said Toronto was chosen because Trend Micro has a large enough office here, the city has good international connections (although he admitted getting participants here in December was a challenge) and it has the ability to furnish things that organizers may run out of. For example, he said, they had to empty Toronto BestBuy stores of a certain model of Netgear router.
Tuesday morning’s winners included a team from U.K.-based penetration testing firm Nettitude, which executed a stack-based buffer overflow attack against the Canon imageCLASS MF743Cdw printer.
A team called Qrious Secure executed two bug attacks (an authentication bypass and a command injection) against the WAN interface of a TP-Link AX1800 router.
UPDATE: Here are the rest of the winners from the first day:
– Horizon3 AI was able to execute their command injection attack by getting a Lexmark MC3224i printer to play music. They earn US$20,000;
–Gaurav Baruah was able to execute their command injection attack against the WAN interface of the Synology RT6600ax in the Router category, earning US$20,000;
–Interrupt Labs was able to execute their stack-based buffer overflow attack on the third and final try against the HP Color LaserJet Pro M479fdw printer to earn US$20,000;
–STAR Labs was able to execute their improper input validation attack on their third try against the Samsung Galaxy S22 to earn US$50,000;
–Computest was able to execute their command injection root shell attack against the LAN interface of the Synology RT6600ax router to earn US$5,000;
–Chim was able to execute their improper input validation attack against the Samsung Galaxy S22 to earn US$25,000;
— Interrupt Labs was able to execute two bugs (SQL injection and command injection) against the LAN interface of a Netgear router to earn US$5,000;
–Devcore became the first team ever to successfully execute two different Stack-based buffer overflow attacks against a Mikrotik router and a Canon printer in the new SOHO Smashup category to earn US$100,000;
— Claroty Research was able to execute a chain of three bugs (two missing auth for critical function and an auth bypass) attack against the Synology DiskStation in the NAS category. to earn US$40,000;
–Team Viettel was able to execute two bugs (including a command injection) in an attack against an HP Color LaserJet Pro printer to earn US$10,000;
— ASU SEFCOM was able to execute their OOB Write attack against the Synology DiskStation DS920+ in the NAS category to gain code execution. However, one of the exploits they used was already publicly known. They still earned US$10,00;
–Claroty Research was able to execute five different bugs in an attack against the LAN interface of a Netgear router to earn US$2,500;
–NCC Group EDG was able to execute their command injection attack against the LAN interface of a Synology router. However, the exploit they used was exploited earlier in the competition. They still earned US$1,250;
–Neodyme became the second team to triumph in the new SOHO Smashup category by executing an attack using three bugs against a Netgear router and an HP printer to earn US$50,000;
— Tri Dang from Qrious Secure successfully exploited the LAN interface of a Netgear router, but it was ruled a collision because of an earlier exploit. They still earned US$1,250.