Table of Contents
Pwn2Own Toronto 2023 Competition Concludes
The recently concluded Pwn2Own Toronto 2023 competition, held between October 24 and October 27, saw a new record with security researchers demonstrating 58 zero-day exploits. The four-day event was organized by Trend Micro's Zero Day Initiative (ZDI), a platform that rewards researchers for identifying and reporting software vulnerabilities.
Record of 58 Zero-Day Exploits Demonstrated
The security researchers successfully executed exploits targeting a range of devices from multiple vendors, including Xiaomi, Western Digital, Synology, Canon, Lexmark, Sonos, TP-Link, QNAP, Wyze, Lexmark, and HP. The unprecedented number of 58 zero-day exploits underscores the pressing security concerns associated with consumer electronic devices, particularly those integral to the Internet of Things (IoT).
Four-Day Competition Results in Over $1 Million in Rewards
The hackers participating in the competition earned a collective $1,038,500 for their exploits. Among the rewarded teams, Team Viettel came out on top, bagging $180,000 and 30 Master of Pwn points. Runner-ups included Team Orca of Sea Security who earned $116,250 and DEVCORE Intern and Interrupt Labs both earning $50,000 each.
Variety of Devices Exploited
The list of targeted devices was extensive, featuring mobile phones, network-attached storage (NAS) devices, printers, wireless routers, home automation hubs, surveillance systems, and Google's Pixel Watch and Chromecast devices. Notably, a fully patched Samsung Galaxy S23 was hacked four times during the competition. Despite the vulnerabilities exposed, companies whose products were targeted will have a 120-day period to release patches before ZDI publicly discloses them.
Participants and Rewards
The Pwn2Own Toronto 2023 hacking competition brought together a diverse range of teams and independent participants, each demonstrating high-level penetration testing skills. The contest's unique scoring system, which factors in both the sequence of successful exploits and their uniqueness, meant that the highest cash rewards didn't necessarily go to the outright winners.
Highest Reward of $100,000 goes to Chris Anastasio for Bugs in Router and Printer
One of the stand-out participants was Chris Anastasio, who bagged a significant reward of $100,000. His successful exploits targeted vulnerabilities in a router and printer, proving that even seemingly mundane devices pose significant security risks if inadequately protected.
Team Viettel Earns Total of $180,000 for Multiple Exploits
Team Viettel, a group from Vietnam's largest state-owned telecommunications company, was another major winner at the event. They impressed the judging panel with several successful exploits and walked away with a hefty $180,000 reward. That said, their success didn't just come from uncovering vulnerabilities; their strategic approach to the contest, which ensures they maximized their point tally, also played a vital part.
Team Orca and Pentest Limited Showcase Multiple Successful Exploits
Other notable participants included Team Orca and Pentest Limited. Team Orca, part of Sea Security, finished second on the leaderboard, having earned a reward of $116,250. On the other hand, Pentest Limited held a strong command in the competition by being the first to demonstrate a zero-day exploit on Samsung Galaxy S23, thereby earning $50,000 and 5 points towards their Master of Pwn tally.
Nature of Exploits
The Pwn2Own Toronto 2023 competition saw an impressive array of exploits demonstrated by the participants. These ranged from single-bug exploits to complex chains of vulnerabilities that allowed hackers to take control of systems remotely. The challenges were intense, as evidenced by multiple hacking attempts falling short. However, successful exploits gave invaluable insights into potential security weaknesses that vendors must address.
Majority are Single-Bug Exploits
The majority of the demonstrated exploits at the event were single-bug exploits. This required participants to discover and leverage a single unknown vulnerability in a system to bypass its security protections. Single-bug exploits, though seemingly less complex than multi-bug ones, are significant as they can open up a system to attacks through a single weak point or oversight.
Several Exploits Lead to Remote Code Execution
Remote code execution (RCE) vulnerabilities were a common feature among the successful exploits. These security weaknesses, particularly concerning in an era of connected devices, allow an attacker to execute arbitrary code on a victim's system without needing physical access to the device. For instance, the Pentest Limited team was the first to demonstrate an RCE against Samsung Galaxy S23 during the competition, indicating the critical nature of these vulnerabilities.
All Vulnerabilities Reported to Vendors with 90-Day Window for Addressing them
All vulnerabilities discovered during the event are reported to the respective vendors, including giants like Microsoft, Google, and Samsung. These companies are then given a 90-day window to address the issues before the vulnerabilities are publicly disclosed by the ZDI. This aligns with the responsible disclosure principle in the cybersecurity industry, designed to give vendors sufficient time to rectify the vulnerabilities while protecting users from potential exploitation.
Comparison with Previous Competitions
The Pwn2Own Toronto 2023 contest marked further growth in the high-stakes world of ethical hacking competitions. This year's edition saw not only an increase in rewards paid out to participating teams and individuals relative to previous editions but also showcased a wider variety of device vulnerabilities.
Total Payout at Pwn2Own Toronto 2023 Higher Than Last Year
Compared to the prior year's event, the total payout at Pwn2Own Toronto 2023 was considerably higher. A sum of over $1 million was rewarded to skilled hackers who unveiled 58 zero-day vulnerabilities. This escalation in cash rewards signifies the growing significance and popularity of such hacking contests in fostering a proactive cybersecurity culture.
Last Year Saw 26 Contestants Sign Up for 66 Exploits Earning Close to $1 Million
In the 2022 edition of Pwn2Own Toronto, 26 teams had signed up to participate, demonstrating 66 exploits and earning close to $1 million in collective rewards. While the number of enacted exploits was higher in 2022, the increase in the total payout in 2023 highlights the escalating complexity and significance of the vulnerabilities being discovered and reported at these events. The continued success and growth of these hacking competitions bode well for the future of cybersecurity, as they encourage timely discovery and patching of software vulnerabilities in a wide array of consumer devices.
