Another Pwn2Own has drawn to a close, with Team Fluoroacetate (researchers Amat Cama and Richard Zhu) taking home the Master of Pwn title for the third year in a row.
Overall, contestants in the Tokyo 2019 event earned more than $315,000 over the two-day hacking contest, for uncovering 18 different bugs in the various products. This encompassed new categories for Wi-Fi routers, televisions and smart-home/home automation products, including the pwning of an Amazon Echo. Three teams – Team Fluoroacetate, F-Secure Labs and newcomers Team Flashback – dominated the proceedings.
“Once patched, this should prove to be an interesting write-up,” according to the Zero-Day Initiative’s blog of the event.
And finally, the team turned their attention to mobile phones, starting with a knock-out compromise of Samsung’s flagship Galaxy S10 via baseband. They used a rogue base station and a stack overflow to drop a file onto the Galaxy, earning $50,000. Their success marked the third year in a row that Samsung’s flagship handset has been hacked.
That brings #Pwn2Own Tokyo 2019 to a close. Congrats to @fluoroacetate on successfully defending their Master of Pwn title. In two days, they racked up $195,000 for their research. Congrats! pic.twitter.com/q5OezDzqzY
— Zero Day Initiative (@thezdi) November 7, 2019
Elsewhere in the competition, F-Secure Labs’ team (Mark Barnes, Toby Drew, Max Van Amerongen and James Loureiro) earned $70,000 overall and came in second place in the Master of Pwn race. Most notably, the team targeted the Xiaomi Mi9 handset via its NFC component, successfully lifting a photo from the phone by tapping it to a rogue near-field communication (NFC) tag. They were able to trigger a cross-site scripted (XSS) bug in the NFC component to send the picture to a different phone that they controlled – earning $30,000.
The team also had partial success pwning the same handset in the web browser category, with two chained logic bugs. One of the bugs was already known to the vendor, but the team still received $20,000 for the effort.
And finally, the F-Secure Labs team targeted the WAN port of the TP-Link AC1750 Smart WiFi router; they combined a command injection bug along with a handful of insecure defaults to be able to execute code on the device, earning $20,000.
Meanwhile, fresh faces Team Flashback (researchers Pedro Ribeiro and Radek Domanski), which wrapped up their first Pwn2Own with a total of $50,000 for four successful demonstrations, also took aim at the TP-Link router with two hacks. They earned $20,000 for a code-execution exploit by targeting the WAN port of the device using a stack overflow combined with a logic bug. And, they used a total of three different bugs – starting with a command injection vulnerability – to compromise the LAN interface of the router and execute code, raking in $5,000.
Team Flashback also targeted the NETGEAR Nighthawk Smart WiFi Router (R6700) with two different demonstrations. They were able to remotely modify the router’s firmware so that their payload persisted across a factory reset – earning $20,000. And, they compromised the LAN interface of the device with a stack-based buffer overflow to gain a shell on the router, earning $5,000 in the process.
Vendors have been notified and have 90 days to produce security patches before public disclosure.
What are the top risks to modern enterprises in the peak era of data breaches? Find out: Join breach expert Chip Witt from SpyCloud and Threatpost senior editor Tara Seals, in our upcoming free Threatpost webinar, “Trends in Fortune 1000 Breach Exposure.” Click here to register.