You’ve most likely heard of Pwn2Own, a hacking contest that began life alongside the annual CanSecWest cybersecurity occasion in Vancouver, Canada.
Pwn2Own is now a multi-million “hackers’ brand” in its personal proper, having been purchased up by anti-virus outfit Trend Micro and prolonged to cowl many extra sorts of bug than simply browsers and desktop working methods.
The identify, in case you’re questioning, is shorthand for “pwn it to own it”, the place pwn (pronounced “pone”) is hacker-speak for “take control by exploiting a security hole”, and personal actually means “have legal title over”.
Simply put: hack into it and you may take it house.
In reality, even within the Pwn2Own Toronto 2022 contest, the place the money quantities of the prizes far exceeded the worth of the units as much as be hacked, winners received to take house the precise equipment they broke into, thus retaining the unique, literal sense of the competitors.
Even when you’ve simply gained $100,000 for hacking right into a networked printer by hacking your approach via a small-business router first (because the staff that ended up on the prime of the general leaderboard managed to do), taking house the precise units is a neat reminder of a job effectively completed.
These days, when hacking {hardware} reminiscent of routers or printers which have their very own shows or blinking lights, researchers will show their pwnership with amusing side-effects reminiscent of morse code messages through LEDs, or displaying memetic movies reminiscent of a well-known tune by a well-known Nineteen Eighties pop crooner. The hacked machine thus acts as its personal historic documentary.
Hacking (the nice kind)
We stated “a job well done” above, as a result of though you want to assume like a cybercriminal to win at Pwn2Own, given that you just’re making an attempt to generate a fully-working distant code execution assault {that a} criminal would like to find out about, after which to point out your assault working in opposition to a present and fully-patched system…
…the final word purpose of a creating profitable “attack” is accountable disclosure, and thus higher defences for everybody.
To enter the competitors and win a prize, you’re agreeing not solely handy over your exploit code to the machine vendor or distributors who put up the prize cash, but additionally to offer a white paper that explains the exploit within the kind of element that may assist the seller patch it shortly and (you hope) reliably.
The end-of-year Pwn2Own is a peripatetic kind of occasion, having variously beem held in locations as far aside as Aoyama in Tokyo, Amsterdam within the Netherlands, and Austin in Texas.
It was initially generally known as the “mobile phone” model of Pwn2Own, however the Toronto 2022 occasion invited contestants to hack in six most important classes, of which only one included cellphones.
The units put ahead by their distributors, and the prize cash supplied for profitable hacks, appeared like this:
HACK A PHONE.. AND WIN: Samsung Galaxy S22 $50,000 Google Pixel 6 $200,000 Apple iPhone 13 $200,000 HACK A SOHO ROUTER.. AND WIN: TPLink AX1800 $20,000 ($5000 if through LAN) NETGEAR RAX30 $20,000 ($5000 if through LAN) Synology RT6600ax $20,000 ($5000 if through LAN) Cisco C921-4P $30,000 ($15,000 if through LAN) Microtik RB2011 $30,000 ($15,000 if through LAN) Ubiquiti EdgeRouter $30,000 ($15,000 if through LAN) HACK A HOME HUB.. AND WIN: Meta Portal Go $60,000 Amazon Echo Show 15 $60,000 Google Nest Hub Max $60,000 HACK A NETWORK PRINTER.. AND WIN: HP Color LaserJet Pro $20,000 Lexmark MC3224 $20,000 Lexmark MC3224i $20,000 Canon imageClass MF743Cdw $20,000 HACK A SPEAKER.. AND WIN: Sonos One Home Speaker $60,000 Apple HomePod Mini $60,000 Amazon Echo Studio $60,000 Google Nest Studio $60,000 HACK A NAS BOX.. AND WIN: Synology DiskStation $40,000 WD My Cloud Pro PR4100 $40,000
In this yr’s occasion, the organisers went for extra-excitement hacks known as Smashups – a bit like a baseball staff agreeing upfront that any double play (two outs without delay) within the subsequent inning will instantly depend as three outs and end the inning… however with the draw back that any single outs on their very own gained’t depend in any respect.
Smashups have been price as much as $100,000 unexpectedly, however you needed to declare your intention up entrance after which hack one of many community units by breaking in via the router first, adopted by pivoting (within the jargon) straight from the router into the inner machine.
Hacking the router through the WAN after which individually hacking, say, one of many printers, wouldn’t depend as a Smashup – you needed to decide to the all-in-one-chain upfront.
Miss the router and also you wouldn’t even get an opportunity on the printer; hack the router however miss the printer and also you’d lose what you in any other case might have gained by pwning the router by itself.
In the tip, eight completely different groups of researchers determined to again themselves to go for the superbounties out there via Smashups…
…and 6 of them succeeded in getting in via the router after which onto a printer.
Only one of many Smashup groups aimed toward something apart from a printer as soon as inside. The Qrious Security duo from Vietnam had a go on the Western Digital NAS through a NETGEAR router, however didn’t get all the way in which to their goal inside the 30 minute restrict imposed by the principles of the competitors.
And the winners have been…
To add a poker-like component of luck to the competition, and to keep away from arguments about who deserves essentially the most recognition when two groups simply occur to seek out the identical bug, the groups go into bat in a randomly determined sequence.
Simply put, if two groups depend on the identical bug someplace of their assault, the one which went first scoops the complete money prize.
Anyone else utilizing the identical bug will get the identical leaderboard factors, however solely 50% of the money reward.
As a end result, the outright winners gained’t essentially earn essentially the most cash – in the identical kind of approach that it’s doable to cycle to outright victory within the Tour de France with out ever profitable a person stage.
This yr, the Master of Pwn (prime place finishers do get a winner’s jersey, however not like Le Tour, it’s not yellow, and it’s technically a jacket) did win essentially the most cash, with $142,000.
But the STAR Labs staff from Singapore, who ended up simply exterior the medals in fourth place within the General Classification standings, had the pleased comiseration of taking house the next-biggest paycheck, with $97,500.
In case you’re questioning, the prime three locations have been taken by company groups for whom bug-hunting and penetration testing is a day job:
1. DEVCORE (18.5 leaderboard factors plus $142,000). This staff works for a Taiwanese red-teaming and cybersecurity firm whose official web site consists of employees recognized solely by mysterious names reminiscent of Angelboy, CB and Meh.
2. NCC Group EDG (16.5 factors plus $82,500). This staff comes from the devoted exploit growth group (EDG) of a worldwide cybersecurity consultancy initially spun off in 1999 from the UK authorities’s National Computer Centre.
3. Viettel Security (15.5 factors plus $78,750). This is the cybersecurity group of Vietnam’s state-owned telecommunications firm, the nation’s largest.
THE MAILLOT JAUNE OF PWN2OWN (EVEN IF ONLY THE TEXT IS YELLOW)
Who didn’t get hacked?
Fascinatingly, the eight merchandise that didn’t get hacked have been those with the largest bounties.
The telephones from Apple and Google, price $200,000 every (plus a $50,000 bonus for kernel-level entry) weren’t breached.
Likewise, the $60,000-a-pop house hubs from Meta, Amazon and Google stayed secure, together with the $60,000-each audio system from Apple, Amazon and Google.
The solely $60,000-bounty that paid out was the one supplied by Sonos, whose speaker was attacked by three completely different groups and pwned every time. (Only the primary staff had a novel chain of bugs, so that they have been the one ones that netted the complete $60,000).
Just as fascinatingly, maybe, the merchandise that didn’t get pwned didn’t truly survive any assaults, both.
The most certainly cause for this, in fact, is that nobody goes to decide to coming into Pwn2Own, writing up a publication-quality report, and travelling to Toronto to face public scrutiny, live-streamed to their friends all over the world…
…except they’re fairly jolly certain that their hacking try goes to work out.
But there’s additionally the difficulty that there are bug-buying providers that compete with Trend Micro’s Zero Day Initiative (ZDI), and that declare to supply a lot greater bounties.
So we don’t know whether or not Apple’s and Google’s telephones and audio system, for instance, went untested as a result of they genuinely have been safer, or just because any bugs found have been price extra elsewhere.
Zerodium. for instance, claims to pay “up to” $2,500,000 for top-level Android safety holes, and $2,000,000 for holes in Apple’s iOS, albeit with the tough proviso that you just don’t get to say what occurs to the bug or bugs you ship in.
ZDI, in distinction, goals to supply a accountable disclosure pathway for bug hunters.
The “code of silence” that bug finders are required to adjust to after handing over their experiences is there primarily in order that the main points will be shared privately and safely with the seller.
So, though the distributors on this Pwn2Own paid out a complete of $989,750, in response to our calculations…
…that’s 63 fewer full-on, genuinely exploitable bugs left on the market that cybercriminals and rogue operators may in any other case latch onto and exploit for evil.