Pwn2Own 2019 Hacking Contest was Concluded With Success
- Team Fluoroacetate wins Pwn2Own for the third year in the row, exposing bugs in multiple devices.
- The first two smart TV products to ever enter the contest were broken into via integer overflows.
- Xiaomi Mi9 and the Samsung Galaxy S10 were also pwned, with their NFC component being their Achilles' heel.
This year’s Pwn2Own hacking contest took place in Tokyo, and uncovered eighteen bugs in two days. The devices that were “pwned” include Wi-Fi routers, smart TVs, various IoTs, wearables, mobile phones, and more. The team that won the “Master of Pwn” title for the third year in the row was “Team Fluoroacetate”, consisting of the researchers Amat Cama and Richard Zhu. The whole point of “Pwn2Own”, which started back in 2007, is to demonstrate the vulnerability of devices and software products that are used by millions of people. These products are recent models which are actively supported by their vendors. That said, it’s a public demonstration of the fact that there are flaws everywhere, and talented hackers can find them if they look hard enough.
That brings #Pwn2Own Tokyo 2019 to a close. Congrats to @fluoroacetate on successfully defending their Master of Pwn title. In two days, they racked up $195,000 for their research. Congrats! pic.twitter.com/q5OezDzqzY
— Zero Day Initiative (@thezdi) November 7, 2019
The three teams that dominated the contest were the winner Team Fluoroacetate, F-Secure Labs, and Team Flashback. The winner won $195000 in total, with their highlight being the full compromise of an Amazon Echo device through the use of an integer overflow exploit in JavaScript. The same team also hacked the Sony X800G smart TV using a JavaScript out-of-bounds (OOB) read in the embedded web browser to gain a bind shell, and also the Samsung Q60 smart TV via an integer overflow in JavaScript again. Finally, they completely destroyed Samsung Galaxy S10 security by dropping a file via a rogue base station and escaped the sandbox via a use-after-free flaw in an NFC (near field communications) component.
F-Secure targeted the Xiaomi Mi9 via its NFC and managed to steal files and trigger a cross-site scripted bug. The same contestant managed to hack the TP-Link AC1750 Smart WiFi router through a combination of a command injection bug and insecure defaults. Team Flashback also compromised the same product via a different route, and then targeted the NETGEAR Nighthawk Smart WiFi Router (R6700), demonstrating that it’s possible to modify its firmware and keep the payload in the device even after a factory reset.
Now, the vendors have three months to fix the discovered vulnerabilities and to push their patches before the details of the exploits are disclosed to the public. Hackers love tips on how to break into devices that are used by millions, as some of them aren’t applying the available patches immediately. That said, if you own one of the products listed below, make sure that you update their software in the following period, as crucial fixes are bound to arrive with the pushed patches.
Google Pixel 3 XL
Samsung Galaxy S10
Apple iPhone XS Max
Huawei P30
Xiaomi Mi 9
Oppo F11 Pro
Apple Watch Series 4
Oculus Quest (64Gb)
Facebook Portal
Amazon Echo Show 5
Google Nest Hub Max
Amazon Cloud Cam Security Camera
Nest Cam IQ Indoor
Sony X800G Series - 43”
Samsung Q60 Series – 43”
TP-Link AC1750 Smart WiFi Router
NETGEAR Nighthawk Smart WiFi Router (R6700)
Do you have something to comment on the above? Feel free to do so in the section down below, or on our socials, on Facebook and Twitter.