Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

IoT Security

Pwn2Own Toronto 2022, Day 2: Smart Speaker Exploits Earn Big Chunk of $280,000 Total

On the second day of the Zero Day Initiative’s Pwn2Own Toronto 2022 hacking competition, participants earned a total of more than $280,000 for smart speaker, smartphone, printer, router, and NAS exploits.

A significant chunk of the total amount was earned for smart speaker hacks, specifically vulnerabilities targeting Sonos One smart speakers.

On the second day of the Zero Day Initiative’s Pwn2Own Toronto 2022 hacking competition, participants earned a total of more than $280,000 for smart speaker, smartphone, printer, router, and NAS exploits.

A significant chunk of the total amount was earned for smart speaker hacks, specifically vulnerabilities targeting Sonos One smart speakers.

Pwn2Own Toronto 2022A team from ​​Qrious Secure earned $60,000 for hacking a Sonos One speaker, while the Star Labs team earned $22,500 for an exploit that involved one new and one previously known flaw.

The Bugscale team was awarded $37,500 for a SOHO Smashup exploit that targeted a Synology router and an HP printer. The attempt involved the use of new and previously known bugs.

In the new Pwn2Own category called SOHO Smashup, a small office / home office (SOHO) scenario is simulated, with the goal being to hack a router on the WAN interface and then pivoting to the LAN, where a second device is hacked, such as a NAS appliance, a smart speaker, or a printer.

[ Read: Pwn2Own Toronto 2022, Day 1: Hackers Earn $400,000 for Exploits ]

Another significant reward was earned by researcher Luca Moro, who was awarded $40,000 for a WD My Cloud Pro hack in the NAS category. Interrupt Labs earned $25,000 for hacking a Samsung Galaxy S22 phone.

The list of devices hacked on the second day of Pwn2Own, for which participants earned between $1,250 and $10,000, includes HP, Lexmark and Canon printers, and Netgear, Synology and TP-Link routers.

ZDI announced that a total of $681,000 was paid out in the first two days for 43 new and unique vulnerabilities.

Pwn2Own Toronto 2022 spans four days, with 26 contestants signing up for 66 exploits. ZDI said the number is unprecedented, and it has decided to only award the full cash prize to the first winner of each target, with subsequent exploits getting 50% of the prize money.

Related: Netgear Neutralizes Pwn2Own Exploits With Last-Minute Nighthawk Router Patches

Related: Over $1.1 Million Awarded at Pwn2Own Vancouver 2022 for 25 Zero-Day Vulnerabilities

Related: Microsoft Teams Exploits Earn Hackers $450,000 at Pwn2Own 2022

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.