Security Experts:

Connect with us

Hi, what are you looking for?


IoT Security

Bug Hunters Earn $195,000 for Hacking TVs, Routers, Phones at Pwn2Own

White hat hackers have earned a total of $195,000 for demonstrating vulnerabilities in TVs, routers and smartphones on the first day of the Pwn2Own Tokyo 2019 contest taking place these days alongside the PacSec conference.

White hat hackers have earned a total of $195,000 for demonstrating vulnerabilities in TVs, routers and smartphones on the first day of the Pwn2Own Tokyo 2019 contest taking place these days alongside the PacSec conference.

The event is organized by Trend Micro’s Zero Day Initiative (ZDI) and this edition promises over $750,000 in cash and prizes for exploits targeting one of 17 devices. This is the first Pwn2Own that has invited hackers to demonstrate security holes in the Portal smart display and the Oculus Quest virtual reality headset from Facebook.

Participants made a total of 10 attempts on the first day and a majority of them were successful. Seven attempts have been announced for the second day.

ZDI said the day started with Amat Cama and Richard Zhu of team Fluoroacetate earning $15,000 for hacking a Sony X800G TV by exploiting a JavaScript out-of-bounds read bug in the built-in web browser. An attacker could exploit this flaw to get a shell on the device by convincing the targeted user to visit a malicious website from the TV’s built-in browser.

The same team also earned $60,000 for taking control of an Amazon Echo device through an integer overflow, and $15,000 for getting a reverse shell on a Samsung Q60 TV, also via an integer overflow.

Cama and Zhu also earned $20,000 for managing to exfiltrate a picture from a Xiaomi Mi9 smartphone simply by browsing to a specially crafted website. They also received $30,000 for stealing a picture from a Samsung Galaxy S10 via NFC.

Pedro Ribeiro and Radek Domanski of Team Flashback earned $5,000 for taking control of a NETGEAR Nighthawk Smart WiFi router (R6700) over the LAN interface, and $20,000 for hacking the same router over the WAN interface and remotely modifying its firmware for persistence across a factory reset.

Team Flashback also received $5,000 for a code execution exploit chain against the TP-Link AC1750 Smart WiFi router over the LAN interface.

The last team represented F-Secure Labs and they attempted to hack a TP-Link router and a Xiaomi Mi9 phone. Both attempts were only partially successful, but they still earned $20,000 for showing that they could exfiltrate a photo from the Xiaomi phone. The attempts were only partially successful because some of the bugs they used had already been known to the vendor.

Related: Samsung Galaxy S9, iPhone X Hacked at Pwn2Own Tokyo

Related: IoT Category Added to Pwn2Own Hacking Contest

Related: Pwn2Own 2019: Researchers Win Tesla After Hacking Its Browser

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.