Being held at Zero Day Initiative (ZDI)’s Toronto office, this year’s Pwn2Own kicked off smoothly on 6th December 2022 with contestants participating both in person and remotely. Before we dive into the proceedings on the event days, let’s talk about what Pwn2Own is and how it started.
What is Pwn2Own?
Pwn2Own is a hacking contest where security researchers are invited to hack into devices that IT hardware and software manufacturers believe are secure.
At Pwn2Own Toronto 2022, contestants would have targets such as mobile phones, wireless routers, home automation hubs, printers, smart speakers, and NAS devices for hacking into.
For their efforts resulting in a successful hack, the participants are rewarded with prize money.
Starting in April 2007 during the CanSecWest conference in Vancouver, Pwn2Own has come a long way to become the highly reputable competition that it is. It began when security researcher Dragos Ruiu wanted to put Apple’s impenetrable security system to the test and ever since, the competition has followed a similar mission statement.
Not only has it allowed organizations to normalize bug reporting but has also changed how the industry looks at security.
This fall’s Pwn2Own event introduced a new category called “SOHO Smashup” (Small Office/Home Office) to incorporate a real-world setting where a threat actor would exploit a home office.
A contestant would be required to pick a router and begin exploiting the WAN interface and then they would pivot to the LAN, where a second device is hacked such as a NAS appliance, a smart speaker, or a printer.
DAY 1 PROCEEDINGS
The first day of the competition welcomed participants who won a total of $400,000 for exploits targeting phones, printers, routers, and NAS devices.
The Devcore team which is a recurring contestant in the competition won the highest single reward of $100,000 in the SOHO Smashup category for hacking a MikroTik router and a Canon printer connected to it.
Coming in second with a reward of $50,000 was the team Neodyme which successfully hacked a Netgear router and an HP printer.
Meanwhile, the Star Labs team also earned $50,000 for hacking a Samsung Galaxy S22 smartphone. The same device was also hacked by a participant named Chim who earned $25,000.
Researchers at industrial and IoT cybersecurity firm Claroty earned $40,000 for hacking a Synology DiskStation NAS device.
There were also multiple $20,000 rewards for hacking Canon, HP, Lexmark printers, TP-Link, and Synology routers. Two teams earned $10,000 each for Synology NAS and HP printer hacks.
Excluding the SOHO Smashup entry, Netgear router exploits earned smaller rewards. The Netgear exploits by some contestants including Tenable were neutralized just days before the competition due to a last-minute hotfix released by the vendor.
With 26 contestants signing up for 66 exploits, ZDI decided that the full cash prize would be awarded to the first winner of each target, with subsequent exploits getting 50% of the prize money.
DAY 2 PROCEEDINGS
On the second day of the competition, participants earned a total of more than $280,000 for their exploits. A large sum of the total amount was earned by targeting the smart speaker, specific vulnerabilities in the Sonos One smart speakers.
$60,000 went to a team from Qrious Secure for hacking a Sonos One speaker while $22,500 went to the Star Labs team for an exploit that involved targeting one new and one previously known flaw.
The Bugscale team earned $37,500 for a SOHO Smashup exploit targeting a Synology router and an HP printer where again, new and previously known bugs were used.
Another significant reward was earned by researcher Luca Moro, who was awarded $40,000 for a WD My Cloud Pro hack in the NAS category. Interrupt Labs earned $25,000 for hacking a Samsung Galaxy S22 phone.
The list of devices hacked on the second day of Pwn2Own, for which participants earned between $1,250 and $10,000, includes HP, Lexmark, Canon printers, Netgear, Synology, and TP-Link routers.
ZDI announced that a total of $681,000 was paid out in the first two days for 43 new and unique vulnerabilities. As the event progresses successfully, we look forward to it serving as a beacon to improve the relationship between vendors and independent researchers.