Toronto Pwn2Own exploit contest starts with US$40,000 awarded

The first Toronto edition of Trend Micro’s Pwn2Own hacking contest began Tuesday, with individuals or teams from a number of countries attempting to break into consumer products in hopes of winning a share of hundreds of thousands of dollars in prizes.

Within two hours, two teams had each won US$20,000.

“This is event is going to be our largest ever, with 26 teams attempting 66 exploits against various targets,” Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, said in an interview.

Held at Trend Micro’s Toronto office, it is scheduled to last four days.

Entrants — who will try to crack home-office or mobile devices by creating unique exploits — will participate either on-premises or remotely from a number of countries, including Canada, the U.S., Germany, France, the Netherlands, Vietnam, and South Korea.

They are trying to break into a Canon multi-function printer, a TP-Link WiFi router, a Sonos wireless speaker, a Samsung Galaxy S22 smart phone, and more.

First started in 2007 at Vancouver’s CanSec West conference — and a regular feature there ever since — the Pwn2Own contest challenges white hat hackers to break into devices that IT hardware and software manufacturers believe are secure. Targets, announced before the contest so participants can prepare, can range from browsers to a Tesla 3. In most cases, the team or person that breaks into the device gets to own it — hence the name of the contest — and/or win a prize because Trend Micro purchases the exploit. Vendors learn about the weaknesses their products have.

And entrants have to work to win. They have three five-minute attempts to demonstrate their exploit by completely taking over a system. “It’s not just proof of concept code or not just showing de-bugging,” Childs said. “They have to show real code execution on the target.”

If successful, the winner goes into a physical or virtual back room to give judges details of their work, to prove it really is a zero-day unknown exploit. In addition, the product’s manufacturer has to verify on the spot that it hasn’t heard of the exploit before. Only then is a winner officially declared.

For the Toronto event, prizes from $5,000 to $100,000 for each exploit are available. Childs thinks $1 million may be awarded this week.

In addition to Toronto, Pwn2Own contests were held this year in Vancouver and Miami. Each contest has a theme. Traditionally, Vancouver focuses on enterprise products including operating systems. Miami’s theme was industrial controllers and SCADA devices.

In April, participants at the Miami event won US$400,000 for demonstrating 26 exploits and bug collisions. In May, Vancouver participants won US$1.15 million for showing 25 unique zero day exploits.

Childs said Toronto was chosen because Trend Micro has a large enough office here, the city has good international connections (although he admitted getting participants here in December was a challenge) and it has the ability to furnish things that organizers may run out of. For example, he said, they had to empty Toronto BestBuy stores of a certain model of Netgear router.

Tuesday morning’s winners included a team from U.K.-based penetration testing firm Nettitude, which executed a stack-based buffer overflow attack against the Canon imageCLASS MF743Cdw printer.

A team called Qrious Secure executed two bug attacks (an authentication bypass and a command injection) against the WAN interface of a TP-Link AX1800 router.

Related Posts