Pwn2Own Closes With Nearly $1M Payout To Ethical Hackers • The Register

Pwn2Own paid out nearly $1 million to bug hunters at last week’s consumer product hacking event in Toronto, but the prize money wasn’t big enough to attract attempts to hack the iPhone or Google Pixel, as rogues from less sane sources far outnumbered them can score.

“We gave it our highest honor,” said Dustin Childs, Head of Threat Awareness at Trend Micro’s Zero Day Initiative (ZDI).

The competition planned to give away $250,000 for a successful iPhone or Google Pixel exploit, he said The registry, in an exclusive interview at the end of the four-day event. “And that’s just not enough zeros for the level of research it takes to get these phones.” said Childs.

“We’re talking to people from different sectors regarding the bug economy and some of the things we’ve heard are that a no-click iPhone exploit is possible and the price tag can be as high as $15 million.”

Meanwhile, four teams attempted exploits for Samsung Galaxy, and three succeeded, winning $50,000 as the grand prize for hacking the Korean giant’s flagship smartphones. These, too, could be sold for much more in the criminal marketplaces. “That’s probably at least $2 million to $3 million right there,” Childs said.

The registry does not suggest that security researchers should sell zero-days for millions of dollars instead of giving them to vendors who hopefully will plug in the gaps and use that information to make their products more secure. But the fact that there is a lot of money to be made, albeit illegally, from finding vulnerability information, exploiting it, and selling it to shady guys on the internet cannot be ignored.

“Absolutely, it’s tempting when you’re dealing with that kind of money,” Childs said. “Especially in some places where it’s legal, for example to sell to an exploit broker or someone is going to resell it.

ZDI has hosted the vendor-independent troubleshooting event for 14 years and became part of Trend Micro when that security vendor acquired the troubleshooting company in 2015. There are now three separate Pwn2Pwn events each year focusing on different product classes: consumer, business and industrial control systems.

According to Omdia research, Pwn2Own was responsible for almost 64 percent of all disclosed vulnerabilities last year [PDF].

This recent event in Toronto was the largest ever, with 26 participants submitting 66 entries during the four-day event, which paid out $989,750 for successful exploits on cell phones, smart speakers, routers, printers, and network-attached storage devices.

During the event, each team has three attempts on stage to demonstrate a zero-day exploit. Assuming they succeed, they’re quickly taken to a back room to tell ZDI how they did it.

The vendor is then called in to allow the researchers to uncover the error, and at that point the manufacturer’s time begins to run out to fix the problem. Pwn2Own has a 90-day disclosure policy, and during that time “we expect that they will either produce a patch or we will post more information about it on our website. There’s absolutely no hiding the bugs,” Childs said.

At this point in the history of the competition, most vendors want details about how the researchers found the bugs. Childs said they tend to pursue a similar question: how did you find the bugs? How did you research them? What was your thought process? “And everyone said, ‘We have to do that too.'”

Samsung Galaxy exploits were among the highlights of this event, including one on day three of the competition where Pentest Limited successfully performed a improper input validation attack in just 55 seconds. The phone maker was on site in Toronto and attended debriefing sessions with the successful candidates.

“Samsung was certainly grateful that we disclosed the bugs to them in a coordinated manner – that we don’t go public with it, that we don’t release exploits in the wild, that they get a chance to fix them before their customers suffer.” not harmed by these vulnerabilities,” Childs said.

“Obviously they’re not thrilled to be in the room,” he added. “There was one unsuccessful entry and they were probably happier about that disclosure than the other four. But at the same time they understand the meaning of the event. We surrender [the exploits] given to them free of charge and they appreciate it.”

Another highlight of the Toronto competition was the SOHO Smashup categorywhere participants had to compromise the WAN interface to take over a home router and then focus on an internal device like a smart speaker or printer.

This type of attack is particularly relevant in hybrid and work-from-home scenarios, said Trend Micro COO Kevin Simzer. “Maybe the average consumer isn’t concerned about some of these exploits — although they should be — but I can tell you that the commercial customers we deal with are definitely concerned,” he said The registry.

“We all live in a hybrid working model now, so these vulnerabilities can easily penetrate corporate networks.”

However, the fact remains that all of these participants can make more money by selling these exploits on the black market. Why choose 15 minutes (or less) of Fame and $10,000 (or more) at Pwn2Own instead?

“Cash is obviously a motivator,” Childs said. “If someone hands you $10,000, it may not change your life, but it will definitely change your day. And in certain parts of the world it really changes your life.”

Others are in for the recognition, he added. ‘We have many participants who are young companies or young researchers who want to demonstrate their skills and show that they are worth hiring as consultants.’

Still others seem like really good people who just want to make the world a safer place.

“This is going to sound cheesy and altruistic, but people are telling us that they’d rather send us bugs than sell them on the exploit marketplace because they want to fix the bugs,” Childs said. “We actually heard this from researchers: I know I get less money this way. But I still get credit because the bug is actually fixed and not exploited.” ® Pwn2Own Closes With Nearly $1M Payout To Ethical Hackers • The Register

Rick Schindler

World Time Todays is an automatic aggregator of the all world’s media. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials, please contact us by email – The content will be deleted within 24 hours.

Related Articles

Back to top button