Summary: A Vietnamese team, Viettel Cyber Security, won the inaugural Pwn2Own Ireland event, earning over $205,000 for discovering multiple zero-day vulnerabilities across various devices. The competition highlighted the importance of responsible disclosure to enhance product security for end users.
Threat Actor: Viettel Cyber Security | Viettel Cyber Security
Victim: Various manufacturers | Various manufacturers
Key Point :
- Viettel Cyber Security won the competition by exploiting vulnerabilities in several devices, including storage solutions and printers.
- The event showcased over 70 zero-day vulnerabilities, emphasizing the role of ethical hackers in improving product security.
- Meta sponsored the event but no exploits were found for WhatsApp, highlighting challenges in discovering zero-click vulnerabilities.
- The next Pwn2Own event will focus on automotive systems, scheduled for January 2025 in Tokyo.
A team from Vietnam scooped the top prize at the very first Pwn2Own Ireland event on Friday, with over $1m in awards handed out by Trend Microโs Zero Day Initiative (ZDI) for dozens of new discoveries.
The popular hacking competition set up camp in Trend Microโs Cork office for the first time last week, with competitors discovering and demonstrating exploits for over 70 zero-day vulnerabilities. These will now be responsibly disclosed to the relevant vendors for patching.
Viettel Cyber Security was the overall winner, scooping $205,000 in prize money for exploits of a TrueNAS Mini X enterprise storage solution, a Lorex 2K WiFi camera, a QNAP QHora-322 router, a Sonos Era 300 speaker, a HP Color LaserJet Pro MFP printer, a Lexmark CX331adwe printer and a QNAP TS-464 NAS storage device.
However, the true winners of the competition will be end users of the products targeted by the contestants, as they should in time benefit from more secure kit.
Read more on Pwn2Own: Pwn2Own Contest Unearths Dozens of Zero-Day Vulnerabilities
A growing number of manufacturers are getting involved in the competition in order to place their products in front of a highly motivated bunch of ethical hackers.
For the first time, Pwn2Own welcomed Meta as a sponsor this year, although no teams were able to find a workable exploit for WhatsApp in a new Messenger App category of the competition. It is zero-click vulnerabilities like this that commercial spyware makers are notorious for finding and exploiting for their customers.
The next event is slated for January 22 2025, and will take place, as per this year, in Tokyo. In the Japanese capital, competitors will be tasked with finding exploits for vulnerabilities in automotive systems, with the following categories: Tesla, In-Vehicle Infotainment (IVI), Electric Vehicle Chargers, and Operating Systems.
In March this year, a team of French security researchers won a Tesla Model 3 and $200,000 after finding and exploiting a zero-day vulnerability in a vehicleโs electronic control unit (ECU).
Source: https://www.infosecurity-magazine.com/news/researchers-70-zeroday-bugspwn