The annual hacking contest event organized by Trend Micro’s Zero Day Initiative (ZDI) named as Pwn2Own. Pwn2Own Tokyo 2019 contest is offering over $750,000 as a reward. Rewards for working exploits targeting one of the devices in a list of 17 systems.
Pwn2Own Tokyo 2019 is the first to ask participants to find vulnerabilities in the Portal smart display and the Facebook Oculus Quest virtual reality headset. On the first day, white hat hackers that participated in the contest made a total of 10 attempts.
The first day of Pwn2Own Tokyo 2019 has come to a close, and some amazing research demonstrated throughout the day. In total, we awarded $195,000 for 12 total bugs. The day saw nine successful attempts against seven targets in five categories. -ZDI
Report Of First Day:
The day started with Fluoroacetate (Amat Cama and Richard Zhu) team targeting the Sony X800G television. The team earned $15,000 for hacking a Sony X800G TV. The security duo exploited a JavaScript out-of-bounds that read flaw in the built-in web browser.
The flaw could be exploited by an attacker to get a shell on the device by tricking the victim into visiting a malicious website from the TV’s built-in browser.
In a day full of firsts, the Fluoroacetate duo returned for our first ever attempt in the Home Automation category. They chose the Amazon Echo Show 5 for their target, and with the device in an RF enclosure to ensure no outside interference, they used an integer overflow in JavaScript to compromise the device and take control. This exploit earned them $60,000 and 6 Master of Pwn points. -ZDI
Another duo, Cama and Zhu also earned $60,000 for taking control of an Amazon Echo device by exploiting an integer overflow. They also earned $15,000 to get a reverse shell on a Samsung Q60 TV. Cama and Zhu stole a picture from a Samsung Galaxy S10 via NFC and earned $30,000.
Pedro Ribeiro and Radek Domanski from Team Flashback earned $5,000. They won for taking control of a NETGEAR Nighthawk Smart WiFi Router (R6700) over the LAN interface.
Furthermore, Ribeiro and Domanski also received $20,000 for hacking the same router over the WAN interface. Interestingly they remotely modified its firmware for persistence across a factory reset.
Moving forward to another team named F-Secure Labs: obtained a partial success, it chained two logic flaws to exfiltrate a picture from the phone. One of the issues was known by the vendor. Anyway, the group received $20,000 and 2 Master of Pwn points.
Coming to the end of the first day, ZDI said:
We’ve seen some exciting research and set quite a few “firsts” for our contest: first television, first router, and first home automation. Tomorrow looks to be just as exciting, with both baseband attempts occurring first thing in the morning. As with today, we’ll be live updating the blog with results as they occur.