Security researchers gathered in Austin, Texas, this week for yet another Pwn2Own hacking competition, racking up more than $1 million in rewards for their exploit demonstrations.
The latest edition of the iconic hacking contest has seen a specific focus on network-attached storage (NAS) boxes as well as routers, with mobile phones and printers also on the menu.
Among the more popular targets at the competition was the Cisco RV340 router, which was subjected to nine successful or “collision” attacks that used previously known flaws, with one more attempt failing to execute. Researchers were able to break into the networking appliance using both known and unknown security vulnerabilities.
Also popular with hacker contestants was the Western Digital My Cloud Pro Series PR4100 NAS box. The storage device was the subject of nine successful or collision hacks.
Topping the contest was the team from security firm Synactiv, who managed to rack up $197,500 in payouts and 20 “Master of Pwn” points.
Second in the rankings was the Devcore trio of researchers Orange Tsai, Angelboy and Meh Chang, who showed off six successful attacks and claimed a total of $180,000.
The achievement continued a busy year for Orange Tsai in particular. In late 2020, they discovered and reported the ProxyLogon flaws in Microsoft Exchange Server, which were exploited by nation-state hackers prior to being patched. In August, the researcher took to the stage at Black Hat 2021 to discuss their discovery of ProxyShell Exchange bugs, which had been disclosed and patched in April.
Printers were also targeted in the event. Ten different entries were launched against either the Canon ImageCLASS MF644Cdw or Lexmark MC3224i. The ZDI noted that when researchers from Synactiv demonstrated a heap overflow attack against the MF644Cdw, it marked the first successful printer hack in the competition’s history.
The contest ended on Friday with researchers from NullRiver successfully exploiting two flaws in the Netgear R6700v3 router. The ZDI says that it paid out $1,081,250 in rewards over the four-day competition and received 60 new zero-day vulnerabilities.
Not every device put in the crosshairs has been successfully hacked. Two attempts were made to break into the Samsung Galaxy S21 smartphone. One attempt failed and another was only able to obtain “collision” status by exploiting previously disclosed vulnerabilities.
Pwn2Own, which is run by Trend Micro’s Zero Day Initiative (ZDI), gets its name from the early days of the competition when attendees would be rewarded with a modest payout and ownership of the device they had compromised. But the competition has long since become big business for researchers.
A successful display of remote code execution using zero-day vulnerabilities can net a bug hunter tens of thousands of dollars, with a successful week potentially allowing researchers to bring in hauls in the six figures.
ZDI said that 22 contestants (individual or groups) launched 58 attempts. In each attempt, the researcher has 30 minutes to successfully get control over the target, with points (and money) being awarded for not only hacking the device, but also for the use of zero-day bugs.
In some cases, the attackers exploited a single critical flaw that allowed complete takeover, while others opted to chain together multiple lower-risk flaws, such as elevation of privilege, to achieve remote code execution.