Ethical hackers, the security researchers who choose to put their undoubted skills to good use by uncovering previously unknown vulnerabilities, have showcased their talent this week at PWN2OWN Vancouver. In its 15th anniversary year, the elite hacking event created by the Trend Micro Zero Day Initiative (ZDI) pays big bounties to those who reveal zero-days impacting the most prominent of vendors. Remember, hackers are not criminals, and hacking is not a crime when talking about people finding and responsibly disclosing such vulnerabilities.
Day one of PWN2OWN Vancouver 2022 breaks products, and records
Day one of PWN2OWN Vancouver 2022 is now complete, and 16 such zero-days were demonstrated. This is a record number for the hacking contest, earning the hackers involved an equally impressive $800,000. What’s more, all of the ten hacks attempts from day one were successful.
The PWN2OWN event takes place over three days, ending on Friday, May 20. I will be sure to update this story as and when other significant results are known, with a likely round-up on Saturday. Here are the headline hacks from day one.
Microsoft Windows 11 and Microsoft Teams, hacked
Hackers from the Singapore-based Star Labs team demonstrated a zero-click zero-day exploit targeting Microsoft Teams that earned $150,000. The same team also revealed an escalation of privilege zero-day impacting Windows 11 and were rewarded with a further $40,000 for their efforts.
Another hacker, Hector “p3rr0” Peralta, also succeeded where Microsoft Teams was concerned and won $150,000 for his effort, and Marcin Wiazowski got $40,000 for an escalation of privilege zero-day on Windows 11. Masato Kinugawa was also awarded $150,000 for a Microsoft Teams sandbox escape.
Apple Safari, Mozilla Firefox and Ubuntu Desktop, hacked
Meanwhile, Manfred Paul managed to hack both Apple Safari and Mozilla Firefox browsers for a total of $150,000 in prize money.
And finally, the Linux Ubuntu Desktop fell victim to Team Orca from Sea Security which won $40,000, and Keith Yeo, who received the same amount.
Why this list of zero-day exploits is good news for product security
This might sound like bad news from the security perspective, but actually, it’s far from it. Technical detail of all the hacks, including the vulnerabilities being exploited, are disclosed to the vendor concerned. Patches are then created and rolled out to users before more information is made publicly available. This is good security in action, working as it should.
PWN2OWN Vancouver, 2022 day two: will the Tesla Model 3 get hacked?
What can we expect from day two of PWN2OWN Vancouver 2022? More of the same, in terms of successful zero-day hacks being demonstrated, I will hazard to predict. The difference is the addition of another big target in the hacking crosshairs: the Tesla Model 3. I’ll be back tomorrow, reporting on all the results that matter.