French team takes home nearly $200k in winnings as event uncovers 61 zero days
UPDATED Team Synacktiv has claimed the Master of Pwn crown at Pwn2Own Austin 2021 after netting maximum points for a zero-day vulnerability in the Sonos One smart speaker.
Synacktiv, a French offensive security firm, topped the leaderboard at the three-day, hardware-focused hacking event with 20 Master of Pwn points, earning $197,500 in prize money in the process.
Meanwhile, four points and $40,000 were earned courtesy of a configuration flaw, resulting in code execution, on Western Digital’s (WD) My Cloud Pro Series PR4100, a network-attached storage (NAS) device.
Brian Gorenc, senior director of vulnerability research at Trend Micro and head of the ZDI program, tells The Daily Swig that “several CVSS 10-level bugs came through the contest this year”.
Total payouts exceeded $1 million for the second Pwn2Own in a row, and contestants collectively discovered 61 unique zero-days (previously unknown and unpatched security flaws).
Proceedings took place between November 2-4 at the headquarters of event organizer, the Zero Day Initiative (ZDI).
Trailing Synacktiv in second place by just two points were joint winners of the flagship Spring event DEVCORE, who earned 18 points and $180,000 in total.
Together with his fellow DEVCORE members, Orange Tsai – who memorably uncovered “a whole new attack surface” on Microsoft Exchange Server last year – also claimed maximum points for compromising Sonos One, along with four points and $40,000 after combining out-of-bounds read and out-of-bounds write flaws to hack Western Digital’s 3TB My Cloud Home Personal Cloud, a NAS device.
STARLabs, which finished third overall, chained out-of-bounds read with heap-based buffer overflow bugs on the beta version of the same device, earning five points and $45,000.
Fourth on the final standings, Sam Thomas from UK infosec firm Pentest Ltd earned $40,000 and four points after chaining three bugs to get code execution on WD’s PR4100.
Asked to name his favorite exploit, ZDI communications manager Dustin Childs tells The Daily Swig: “It’s hard to beat an exploit that turns a printer into a jukebox and plays AC/DC. However, the exploit used against the beta version of the 3TB My Cloud Home Personal Cloud was really impressive, too.
“That’s one to definitely watch for when the fix becomes available.”
The 2021 edition included a consumer printer category for the first time in the wake of the pandemic-driven shift to home working, as well as the emergence of a noteworthy vulnerability in Microsoft’s Windows Print Spooler over the summer.
Record entry numbers
Vendors now have 120 days to remediate vulnerabilities discovered during the event before contestants are permitted to disclose technical details.
The Texas-based Pwn2Own edition featured a record 58 exploit attempts – around twice as many as the previous high – made by 22 teams or individual competitors against 22 devices, which also included TVs, routers, and home automation devices.
Streaming via YouTube and Twitch since Covid-19 forced the organizers to offer remote participation “has helped engagement tremendously”, says Childs. “The goal is to make attending and participating in Pwn2Own open to anyone interested, regardless of where they are located.”
Reaching $1,081,250, total prize money was slightly down on the $1,210,000 total winnings at the flagship, software-focused Pwn2Own event in April.
‘Had a blast’
The three members of team Synacktiv collectively told The Daily Swig: “We really had a blast in the months before the event and during the event itself and would like to thank ZDI again for the organization.
“We began the preparation in September with the last exploit being finalized less than one week before the event, and we are proud that those efforts paid off.
“A lot of our team members watched the stream during our attempts, and shared our joy of seeing Ninjas appear on printers, of Baby Shark playing on the Sonos, but also the stress of having one of our exploits running way longer than expected and of the final race with the DEVCORE Team. For us the event was as much a technical challenge as a team-building event.”
This article was updated on November 9 with comments from ZDI’s Brian Gorenc and team Synacktiv