The Pwn must go on

Pwn2Own 2020 took place via Zoom

UPDATED The flagship Pwn2Own live hacking event came to a close yesterday, but the winning team may have to wait a little longer than usual to receive their ‘Master of Pwn’ trophy, as this year the competition took place via live stream.

Pwn2Own Vancouver was due to set up camp at the CanSecWest security expo in Canada, but mounting concerns over the Covid-19 pandemic led Trend Micro’s Zero Day Initiative (ZDI) to opt instead to host the event via Zoom.

“We had previously announced contestants would be allowed to compete remotely in this year’s competition,” ZDI’s Brian Gorenc said in a blog post explaining the decision to go virtual earlier this month.

“That remains true. However, instead of ZDI researchers running the attempts in Vancouver, they will do all attempts from our office in Austin, Texas. We will be in communication with the researchers either by phone or video chat during the attempts.”

Returning champions

The unusual format of the event this year was apparently of little concern to returning Pwn2Own champions Richard Zhu and Amat Cama (Team Fluoroacetate), who again took the top spot in 2020.

After demonstrating how a pair of use-after-free bugs in Adobe Reader and the Windows kernel could be used to take over the target system, Zhu and Cama took first place, with the Georgia Tech Systems Software and Security Lab team coming in a close second.


Pwn2Own 2020 Master of Pwn standings


“Special thanks to the Microsoft Security Response Center, Adobe Security, Apple, and Canonical for working with us on disclosure and calling in for the Zoom meetings,” ZDI tweeted last night.

“We couldn’t do this without the support of vendors with mature security response processes.”

“I think the event went great,” Gorenc told The Daily Swig. “We really had no idea on what to expect, so we had many contingency plans. Once we announced remote participation was possible, we received great interest from the researchers. However, they were cautious as well.

“The change resulted in them sending us their exploits prior to the competition, but they trusted us to handle them appropriately. Similarly, vendors trusted us to still handle the disclosure process in an equitable manner, and we were able to accomplish that as well.”

Gorenc added: “Going virtual has certainly increased the playing field as far as who can participate. There are some researchers who would want to participate in the past, but travel restrictions or visa issues have prevented them from being at the contest in person. Going virtual allows us to accommodate those individuals.”

Check out the ZDI blog to catch up on all of the exploits that were demonstrated at Pwn2Own this year.


This article has been updated to include further comment from the ZDI’s Brian Gorenc.


READ MORE Pwn2Own Miami: Hackers scoop $250,000 in prizes during inaugural ICS security contest