Trend Micro’s Zero Day Initiative (ZDI) has announced the targets and prizes for its next Pwn2Own hacking competition, as well as the introduction of a new category that aims to simulate a real world home office environment.
The next Pwn2Own will take place December 6-8, 2022, at ZDI’s office in Toronto, Canada. The registration deadline is December 2. The event will not take place alongside a conference so ZDI has decided to reimburse $3,000 for travel expenses to encourage hackers to participate in person. Bug bounty hunters can also compete remotely, with a ZDI employee in Toronto running the exploit for them.
The organizer is offering a total of more than $1 million in cash and prizes for exploits targeting mobile phones, wireless routers, home automation hubs, smart speakers, printers and NAS devices.
This year, ZDI is introducing a new category called ‘The SOHO Smashup’, which can earn participants up to $100,000. This category aims to simulate a small office/home office (SOHO) scenario, with the goal being to hack a router via its WAN interface and then pivot into the local area network where the researcher needs to hack a different device, such as a printer, smart speaker or NAS device.
In the first stage, they can hack a TP-Link, Netgear, Synology, Cisco, MikroTik or Ubiquity router. In the second stage, they can pick from a list of nearly a dozen IoT devices from Meta, Amazon, Google, Sonos, Apple, HP, Lexmark, Canon, Synology, and WD.
While this version of Pwn2Own is no longer called Mobile Pwn2Own, mobile phones are still the most attractive target from a financial viewpoint. Participants can earn up to $250,000 if they hack Apple’s iPhone 13 or Google’s Pixel 6. Hacking a Samsung Galaxy S22 can earn participants up to $50,000.
A cash prize of up to $60,000 is offered for smart speaker and home automation hub exploits. The targets include Sonos One, Apple HomePod Mini, Amazon Echo Studio, Meta Portal Go, Amazon Echo Show 15, and Google Nest Hub Max.
Participants can earn up to $40,000 for Synology and WD NAS exploits, and between $5,000 and $30,000 for router vulnerabilities. Printer exploits are worth up to $20,000.
At last year’s event, participants were awarded more than $1 million for smartphone, router, printer, NAS and smart speaker zero-day exploits.
Related: Over $1.1 Million Awarded at Pwn2Own Vancouver 2022 for 25 Zero-Day Vulnerabilities
Related: ICS Exploits Earn Hackers $400,000 at Pwn2Own Miami 2022
Related: Microsoft Teams Exploits Earn Hackers $450,000 at Pwn2Own 2022