IoT Security

Routers, NAS Devices, TVs Hacked at Pwn2Own Tokyo 2020

Pwn2Own Tokyo 2020

November 9, 2020

Pwn2Own Tokyo 2020

Bug bounty hunters have hacked routers, network-attached storage (NAS) devices and smart TVs at the Zero Day Initiative’s Pwn2Own Tokyo 2020 hacking competition.

Due to the COVID-19 pandemic, the competition has been turned into a virtual event and Pwn2Own Tokyo is actually coordinated by Trend Micro’s ZDI from Toronto, Canada, with participants demonstrating their exploits remotely.

Organizers have offered significant prizes for exploits targeting a wide range of mobile and IoT devices, but participants have only focused on routers, NAS products and TVs.

In total, participants were awarded $136,000 for 23 unique vulnerabilities across six different devices. Impacted vendors have been given 120 days to release patches before details are made public by ZDI.

A dozen teams and individuals signed up for this year’s Pwn2Own Tokyo. The winner was Team Flashback, which earned a total of $40,000 for hacking TP-Link AC175 and NETGEAR Nighthawk R7800 routers.

The second place team, named DEVCORE, earned $20,000 for successfully demonstrating an exploit against a Synology DiskStation DS418Play NAS product, and $17,500 for an exploit targeting a Western Digital My Cloud Pro Series PR4100 NAS device.

The Trapa Security team took home $20,000 for an exploit targeting the WD device, and $5,000 for a NETGEAR router hack. The same total amount was earned by the STARLabs team for exploits targeting the NETGEAR router and the Synology NAS device.

Participants also hacked Samgung and Sony smart TVs, but they didn’t earn any money since the vulnerabilities they leveraged had already been known.

At last year’s Pwn2Own Tokyo, participants earned a total of $315,000 for disclosing 18 vulnerabilities.

China’s Tianfu Cup hacking competition also took place over the weekend, with participants earning a total of over $1.2 million, including $180,000 for iPhone exploits, $180,000 for VMware ESXi exploits, and $80,000 for Samsung Galaxy S20 exploits.

Written By Eduard Kovacs

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Latest News

Click to comment

Webinar: How to Build Resilience Against Emerging Cyber Threats

Thursday, March 16, 2023

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.

Webinar: Understanding Hidden Third-Party Identity Access Risks

Tuesday, March 28, 2023

Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.

Tackling the Challenge of Actionable Intelligence Through Context

Making threat intelligence actionable requires more than automation; it also requires contextualization and prioritization. (Marc Solomon)

Malware Trends: What’s Old Is Still New

Many of the most successful cybercriminals are shrewd; they want good ROI, but they don’t want to have to reinvent the wheel to get it. (Derek Manky)

Are Encryption and Zero Trust Breaking Key Protections?

Compliance and ZTNA are driving encryption into every aspect of an organization’s network and enterprise and, in turn, forcing us to change how we think about protecting our environments. (Matt Wilson)

How the Best CISOs Drive Operational Resilience

Cyberattacks have exposed a myriad of vulnerabilities in our healthcare infrastructure, and will continue to do so as new and innovative medical technologies are developed. (Galina Antova)

Defeating the Deepfake Danger

Deepfakes are becoming increasingly popular with cybercriminals, and as these technologies become even easier to use, organizations must become even more vigilant. (Derek Manky)