It pays more to be a white hat than a dark one, as proven in the Pwn2Own event in Toronto, Canada. Aside from being regulars at security companies, or as talented individuals occasionally conscripted by them, hacking events such as these provide much needed financial security for them and cybersecurity for everyone else. The Pwn2Own event in Toronto resulted in the discovery of 63 zero-day vulnerabilities and gave out 989,750 dollars in rewards.
For instance, two zero-day vulnerabilities were discovered for the Samsung Galaxy S22 on the first day of the event alone. A team from STAR Labs managed to exploit a zero-day on Samsung’s flagship by executing an improper input validation attack after only three attempts. For newbies, an input validation attack involves entering a string of information against a user input field, meant to elicit a reaction from a system, paving the way for the system to be exploited.
The team from STAR labs won 50,000 dollars for that one alone. Another hacker by the name of Chim, found another issue using the same technique earning 25,000 dollars. That’s 75,000 dollars from Samsung alone. 26 vulnerabilities were discovered within the first day earning contestants over 400,000 dollars in prizes. On day 3, Samsung’s S22 was hacked again in just 55 seconds by researchers from Pentest, again via Input validation attack. So much for Samsung security, but that’s why Samsung is there and Samsung S22 users should expect a patch in the coming days. However, no one signed up to challenge Apple’s iPhone security and Google’s Pixel 6.
Other successful attacks include a Stack-based Buffer Overflow attack against the Canon ImageCLASS MF743Cdw printer, two authentication bypass and command injection attacks against the TP-Link AX1800 Router WAN interface, SQL injection and command injection attacks against the NETGEAR RAX30 AX2400 Router LAN interface, Stack-based buffer overflow attacks against a Mikrotik router, code execution control through an OOB Write attack against the Synology DiskStation DS920+ NAS, a Buffer Overflow attack against the WD My Cloud Pro Series PR4100 NAS and many more. Each successful attack earning more than 5,000 dollars, the latter winning earning 40,000.
The event was organized by the Trend Micro’s Zero Day Initiative (ZDI) wherein hackers are encouraged to hack almost all manner of devices including phones, printers, wireless routers and switches, and NAS devices. Participants include big tech names such as Samsung, Google, Apple, HP, Microtik, Netgear, Western Digital, and TP Link. 36 different teams of security researchers from over 14 countries participated in the event.
The event netted an overall number of 63 unique zero-day vulnerabilities out of 66 issues. And because the contest was netting bugs like a smoked tree in a rainforest, the event was extended to four days from the scheduled three. The next Pwn2Own event is scheduled in February in Miami, Florida. Another opportunity for hackers to legitimately earn big bucks, hone their talents against each other while protecting the general populace against their dark counterparts.