- Team Fluoroacetate wins Pwn2Own for the third year in the row, exposing bugs in multiple devices.
- The first two smart TV products to ever enter the contest were broken into via integer overflows.
- Xiaomi Mi9 and the Samsung Galaxy S10 were also pwned, with their NFC component being their Achilles’ heel.
This year’s Pwn2Own hacking contest took place in Tokyo, and uncovered eighteen bugs in two days. The devices that were “pwned” include Wi-Fi routers, smart TVs, various IoTs, wearables, mobile phones, and more. The team that won the “Master of Pwn” title for the third year in the row was “Team Fluoroacetate”, consisting of the researchers Amat Cama and Richard Zhu. The whole point of “Pwn2Own”, which started back in 2007, is to demonstrate the vulnerability of devices and software products that are used by millions of people. These products are recent models which are actively supported by their vendors. That said, it’s a public demonstration of the fact that there are flaws everywhere, and talented hackers can find them if they look hard enough.
That brings #Pwn2Own Tokyo 2019 to a close. Congrats to @fluoroacetate on successfully defending their Master of Pwn title. In two days, they racked up $195,000 for their research. Congrats! pic.twitter.com/q5OezDzqzY
— Zero Day Initiative (@thezdi) November 7, 2019
F-Secure targeted the Xiaomi Mi9 via its NFC and managed to steal files and trigger a cross-site scripted bug. The same contestant managed to hack the TP-Link AC1750 Smart WiFi router through a combination of a command injection bug and insecure defaults. Team Flashback also compromised the same product via a different route, and then targeted the NETGEAR Nighthawk Smart WiFi Router (R6700), demonstrating that it’s possible to modify its firmware and keep the payload in the device even after a factory reset.
Now, the vendors have three months to fix the discovered vulnerabilities and to push their patches before the details of the exploits are disclosed to the public. Hackers love tips on how to break into devices that are used by millions, as some of them aren’t applying the available patches immediately. That said, if you own one of the products listed below, make sure that you update their software in the following period, as crucial fixes are bound to arrive with the pushed patches.
Google Pixel 3 XL
Samsung Galaxy S10
Apple iPhone XS Max
Xiaomi Mi 9
Oppo F11 Pro
Apple Watch Series 4
Oculus Quest (64Gb)
Amazon Echo Show 5
Google Nest Hub Max
Amazon Cloud Cam Security Camera
Nest Cam IQ Indoor
Sony X800G Series – 43”
Samsung Q60 Series – 43”
TP-Link AC1750 Smart WiFi Router
NETGEAR Nighthawk Smart WiFi Router (R6700)