Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

IoT Security

Bug Hunters Earn $195,000 for Hacking TVs, Routers, Phones at Pwn2Own

White hat hackers have earned a total of $195,000 for demonstrating vulnerabilities in TVs, routers and smartphones on the first day of the Pwn2Own Tokyo 2019 contest taking place these days alongside the PacSec conference.

White hat hackers have earned a total of $195,000 for demonstrating vulnerabilities in TVs, routers and smartphones on the first day of the Pwn2Own Tokyo 2019 contest taking place these days alongside the PacSec conference.

The event is organized by Trend Micro’s Zero Day Initiative (ZDI) and this edition promises over $750,000 in cash and prizes for exploits targeting one of 17 devices. This is the first Pwn2Own that has invited hackers to demonstrate security holes in the Portal smart display and the Oculus Quest virtual reality headset from Facebook.

Participants made a total of 10 attempts on the first day and a majority of them were successful. Seven attempts have been announced for the second day.

ZDI said the day started with Amat Cama and Richard Zhu of team Fluoroacetate earning $15,000 for hacking a Sony X800G TV by exploiting a JavaScript out-of-bounds read bug in the built-in web browser. An attacker could exploit this flaw to get a shell on the device by convincing the targeted user to visit a malicious website from the TV’s built-in browser.

The same team also earned $60,000 for taking control of an Amazon Echo device through an integer overflow, and $15,000 for getting a reverse shell on a Samsung Q60 TV, also via an integer overflow.

Cama and Zhu also earned $20,000 for managing to exfiltrate a picture from a Xiaomi Mi9 smartphone simply by browsing to a specially crafted website. They also received $30,000 for stealing a picture from a Samsung Galaxy S10 via NFC.

Pedro Ribeiro and Radek Domanski of Team Flashback earned $5,000 for taking control of a NETGEAR Nighthawk Smart WiFi router (R6700) over the LAN interface, and $20,000 for hacking the same router over the WAN interface and remotely modifying its firmware for persistence across a factory reset.

Team Flashback also received $5,000 for a code execution exploit chain against the TP-Link AC1750 Smart WiFi router over the LAN interface.

Advertisement. Scroll to continue reading.

The last team represented F-Secure Labs and they attempted to hack a TP-Link router and a Xiaomi Mi9 phone. Both attempts were only partially successful, but they still earned $20,000 for showing that they could exfiltrate a photo from the Xiaomi phone. The attempts were only partially successful because some of the bugs they used had already been known to the vendor.

Related: Samsung Galaxy S9, iPhone X Hacked at Pwn2Own Tokyo

Related: IoT Category Added to Pwn2Own Hacking Contest

Related: Pwn2Own 2019: Researchers Win Tesla After Hacking Its Browser

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.