During a well-known hacking competition, bug bounty hunters were able to exploit security vulnerabilities in everyday-use devices that most of us have at home and work.
The Pwn2Own Tokyo is a hacking competition celebrated every year. Cybersecurity specialists, most precisely white-hat hackers, compete to find bugs that may be exploited by malicious parties and earn the cash rewards offered by manufacturers.
The 2020 edition of Pwn2Own Tokyo was held virtually due to the ongoing pandemic but this didn’t stop the bug bounty hunters to find and show the exploits, cashing in major rewards in the process.
Coordinated by Trend Micro’s ZDI from Canada, the Pwn2Own Tokyo 2020 brought together talented hackers with a common mission: hack their way into devices and demonstrate to the manufacturers the potential exploits that are available to malicious agents out there.
In this edition of the event, the bug bounty hunters found 23 unique vulnerabilities that were present in six devices. The findings represented $136,000 in rewards for the participant hackers.
As usual, ZDI gave 120 days to the manufacturers and vendors to patch their software before the bugs’ details become public.
The exploits were found in routers, NAS (network-attached storage), and Smart TVs. Team Flashback, the team that got first place in the competition, earned $40,000 by exploiting vulnerabilities in TP-Link and NETGEAR routers, models that are available in the market and are widely used by thousands of users.
DEVCORE, the team that ended up second, hacked Synology and Western Digital NAS products. The findings presented $37,500 in rewards for the hackers.
Trapa Security and STARLabs teams collected $25,000 each by successfully exploiting vulnerabilities in Western Digital and Synology NAS products and a NETGEAR router.
On a side note, many hackers that joined the event also found serious bugs in Smart TVs yet these ones didn’t grant cash rewards as they were known bugs to the community already.
During Pwn2Own Tokyo 2019, hackers focused on routers but also on popular smartphones. Participants found plenty of vulnerabilities yet fewer than in this edition of the event, ultimately cashing in $315,000 in rewards.
Meanwhile, In China
The same weekend the Pwn2Own Tokyo 2020 took place, participants at the Tianfu Cup in China were putting many other devices to the test, with rewards going over $1.2 million.
During this event, highly popular products such as iPhones, Samsung Galaxy S20, Google Chrome, Mozilla Firefox, and VMware hypervisor software were hacked by talented bug bounty hunters. Eight teams were responsible during this edition of the Tianfu Cup for successfully finding serious vulnerabilities in these products.
Their common, lucrative quest of finding these bugs is always a reminder that we, the end-users of many of these products, must be on the lookout as providers can and probably will fail in their promise of keeping our data safe from malicious third parties.