Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

IoT Security

Over $1.1 Million Awarded at Pwn2Own Vancouver 2022 for 25 Zero-Day Vulnerabilities

Pwn2Own Vancouver 2022

Participants earned a total of more than $1.15 million at the Pwn2Own Vancouver 2022 hacking contest last week.

Pwn2Own Vancouver 2022

Participants earned a total of more than $1.15 million at the Pwn2Own Vancouver 2022 hacking contest last week.

According to Trend Micro’s Zero Day Initiative (ZDI), which organizes the event, rewards were paid out for 25 unique zero-day vulnerabilities that were used to target Tesla Model 3, Windows 11, Ubuntu, Microsoft Teams, Safari, Firefox and Oracle VirtualBox.

A majority of the money was earned on the first day, when researchers demonstrated exploits worth a total of $800,000, including three Microsoft Teams exploit chains that received $150,000 each.

Two teams targeted the Tesla Model 3, but only one of them, representing Synacktiv, was partially successful. The Synacktiv team earned $75,000 for an infotainment system hack, but their exploit leveraged a sandbox escape vulnerability that had already been known.

In the second attempt, a researcher failed to demonstrate their Tesla exploit, but ZDI still decided to acquire the details of the exploit and report them to the carmaker.

Researcher Manfred Paul was the only one to target Mozilla’s Firefox browser and the exploit earned him $100,000. Paul demonstrated his exploit on May 18, and on May 20 Mozilla already announced a Firefox update that should patch the vulnerabilities he disclosed at Pwn2Own. The researcher also earned $50,000 for a Safari hack.

Pwn2Own participants demonstrated six Windows 11 privilege escalation exploits, each worth $40,000. Four Ubuntu exploits and one VirtualBox exploit earned hackers the same amount.

Advertisement. Scroll to continue reading.

This is the second Pwn2Own taking place this year. In April, at Pwn2Own Miami 2022, which focuses on industrial control systems (ICS), contestants earned a total of $400,000 for their exploits.

Related: Printers Hacked for First Time at Pwn2Own

Related: $1.9 Million Paid Out for Exploits at China’s Tianfu Cup Hacking Contest

Related: Serious Vulnerability Exploited at Hacking Contest Impacts Over 200 HP Printers

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.