On the second day of the Zero Day Initiative’s Pwn2Own Toronto 2022 hacking competition, participants earned a total of more than $280,000 for smart speaker, smartphone, printer, router, and NAS exploits.
A significant chunk of the total amount was earned for smart speaker hacks, specifically vulnerabilities targeting Sonos One smart speakers.
A team from Qrious Secure earned $60,000 for hacking a Sonos One speaker, while the Star Labs team earned $22,500 for an exploit that involved one new and one previously known flaw.
The Bugscale team was awarded $37,500 for a SOHO Smashup exploit that targeted a Synology router and an HP printer. The attempt involved the use of new and previously known bugs.
In the new Pwn2Own category called SOHO Smashup, a small office / home office (SOHO) scenario is simulated, with the goal being to hack a router on the WAN interface and then pivoting to the LAN, where a second device is hacked, such as a NAS appliance, a smart speaker, or a printer.
Another significant reward was earned by researcher Luca Moro, who was awarded $40,000 for a WD My Cloud Pro hack in the NAS category. Interrupt Labs earned $25,000 for hacking a Samsung Galaxy S22 phone.
The list of devices hacked on the second day of Pwn2Own, for which participants earned between $1,250 and $10,000, includes HP, Lexmark and Canon printers, and Netgear, Synology and TP-Link routers.
ZDI announced that a total of $681,000 was paid out in the first two days for 43 new and unique vulnerabilities.
Pwn2Own Toronto 2022 spans four days, with 26 contestants signing up for 66 exploits. ZDI said the number is unprecedented, and it has decided to only award the full cash prize to the first winner of each target, with subsequent exploits getting 50% of the prize money.