Bug Hunters Earn $195,000 for Hacking TVs, Routers, Phones at Pwn2Own Tokyo 2019

Bug hunters have earned a total of $195,000 for finding flaws in TVs, routers and smartphones on the first day of the Pwn2Own Tokyo 2019 contest.

Pwn2Own is the annual hacking contest event organized by Trend Micro’s Zero Day Initiative (ZDI). Pwn2Own Tokyo 2019 contest offers over $750,000 in rewards for working exploits targeting one of the devices in a list of 17 systems. For the first time, This is the ever, Pwn2Own Tokyo 2019 is asking participants to find vulnerabilities in the Portal smart display and the Facebook Oculus Quest virtual reality headset.

“The first day of Pwn2Own Tokyo 2019 has come to a close, and some amazing research was demonstrated throughout the day. In total, we awarded $195,000 for 12 total bugs.” states the post published by ZDI. “The day saw nine successful attempts against seven targets in five categories.”

On the first day, white hat hackers that participated in the contest made a total of 10 attempts.

The day started with Amat Cama and Richard Zhu of team Fluoroacetate earning $15,000 for hacking a Sony X800G TV. The security duo exploited a JavaScript out-of-bounds read flaw in the built-in web browser.

The flaw could be exploited by an attacker to get a shell on the device by tricking the victim into visiting a malicious website from the TV’s built-in browser.

“The Fluoroacetate duo used a Javascript OOB Read bug to exploit the television’s built-in web browser to get a bind shell from the TV. They earned $15K and 2 Master of Pwn points.” reads a post published by the Zeroday Initiative.

Cama and Zhu also earned $60,000 for taking control of an Amazon Echo device by exploiting an integer overflow, and $15,000 for exploiting an integer overflow to get a reverse shell on a Samsung Q60 TV.

The duo also received $20,000 by exploiting a JavaScript flaw that jumped the stack to exfiltrate a picture from the Xiaomi Mi9. The attack scenario sees the victim into visiting a specially crafted website.

Cama and Zhu also earned $30,000 for stealing a picture from a Samsung Galaxy S10 via NFC.

Another duo of experts, Pedro Ribeiro and Radek Domanski of Team Flashback, earned $5,000 for taking control of a NETGEAR Nighthawk Smart WiFi router (R6700) over the LAN interface. Ribeiro and Domanski also received $20,000 for hacking the same router over the WAN interface and remotely modifying its firmware for persistence across a factory reset.

The duo Team Flashback also received $5,000 for a code execution exploit chain against the TP-Link AC1750 Smart WiFi router over the LAN interface.

On the same day, the F-Secure Labs team obtained a partial success, it chained two logic flaws to exfiltrate a picture from the phone, one of the issues was known by the vendor. Anyway, the group received $20,000 and 2 Master of Pwn points.

Another partial success was obtained by Richard and Amat that used an integer overflow with a UAF to escape the sandbox, however, the overflow was already known.

On the second day there will be seven attempts … stay tuned!

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Pwn2Own Tokyo 2019, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]