Last week, we completed our largest Pwn2Own contest ever. We saw 66 entries over four days and witnessed some amazing research resulting in $989,750 USD for 63 unique 0-days. However, leading up to the event was anything but smooth sailing on calm seas. Here’s the wrap video summarizing the event:
When we published the rules, we anticipated quite a bit of interest in both the routers and the SOHO Smashup targets. What we didn’t expect was 85 entries overall. To put some perspective on that number, in 2017, we had 13 total entries in what was (at the time) our largest event ever. We’ve had some growth.
While we were struggling to find a way to run that many attempts in three days, the first of several patches appeared. Most notably, NETGEAR released a fix specifically targeting bugs that were scheduled to be demonstrated during the contest. TP-Link and Sonos also released updates. As a consequence, many contestants withdrew their entries. Our inbox was flooded with questions about various updates and configuration details. At one point, we were down to just over 50 entries. One of our goals with Pwn2Own is to incentivize companies to improve the security of their devices and services, so it’s great to see improvements happen – whether they are a direct result of Pwn2Own entries or pre-emptive patches that stop Pwn2Own entries. It also highlights the skill and ingenuity of the researchers participating in the contest as many had quickly bypassed the patch and re-submitted entries. By the time we started the contest, we had ramped back up to 66 entries scheduled for four days.
Many don’t realize that each attempt needs at least two hours scheduled. The most obvious 30 minutes are the attempt itself. Before the attempt, we need time to set up the test environment. Sometimes that’s as simple as connecting a printer to a switch and giving it an IP address. Other times, it can be quite complex depending on the target. We need time after the attempt, too. The contestants provide ZDI analysts with the details of the bugs they used in their exploit. Pwn2Own is a true 0-day contest, which means it doesn’t qualify for the full award if we already know about the bug. In the past, we’ve seen contestants submit bugs to us and the vendors prior to the event in an attempt to kill their competitor’s bugs. Sometimes it works. Finally, we bring the vendors in to disclose the bugs to them as well. They are allowed to ask questions directly to the researchers about their entry. “How did you find this?” is a popular one. This is another great resource Pwn2Own provides – a bridge between a global network of independent researchers and vendors creating the services and products we all rely on.
Now that we have identified the targets, published the rules, applied the patches, held the drawing, and made the schedule (whew!), we are now ready to run an attempt. A ZDI analyst, sometimes “a gruff-looking bald man with a goatee,” will ask if you are ready, and the countdown begins. Now we find out if your hours and hours of research will work as intended or if something goes awry. Most often, the exploit succeeds and everyone claps. Visually, there’s not a lot to see. We can’t show the screens because we’re dealing with unpatched bugs. We don’t want them unintentionally exposed. Sometimes it fails. Contestants have the opportunity to make changes to their exploit, confirm configurations, ask questions, and try again. Sometimes they triumph on a subsequent attempt, which happened multiple times in this contest. For those interested, here’s a list of the bug types used during the event:
Once the contest is complete, our work continues as we coordinate the release of the patches with the vendors, develop protection rules for the various Trend Micro products we support, and work on paying the winners. While it really is a mountain’s worth of effort, Pwn2Own is one of the highlights of our year. And there’s always another one coming up. Just days before the Toronto event occurred, we announced the rules and targets for our Miami contest, which happens in February.
I’ve literally lost count of how many Pwn2Owns I have participated in. Each one has its own unique story. Each one leaves us a different sort of exhausted. Each one shows us something we’ve never seen before. And that’s why we’ll keep doing them as long as the powers that be allow us to do so. We hope to see you at one someday soon.
Written by admin
NEWS
-
Up to No Good: ‘No Rest for the Wicked’ Early Access Launches on GeForce NOW
April 19, 2024It’s time to get a little wicked. Members can now stream No Rest for the Wicked from the cloud. It leads six new games joining the GeForce NOW library of more than 1,500 games. Holy Moly There’s always another fight... -
Wide Open: NVIDIA Accelerates Inference on Meta Llama 3
April 19, 2024NVIDIA today announced optimizations across all its platforms to accelerate Meta Llama 3, the latest generation of the large language model (LLM). The open model combined with NVIDIA accelerated computing equips developers, researchers and businesses to innovate responsibly across a... -
CVE-2024-20697: Windows Libarchive Remote Code Execution Vulnerability
April 18, 2024In this excerpt of a Trend Micro Vulnerability Research Service vulnerability report, Guy Lederfein and Jason McFadyen of the Trend Micro Research Team detail a recently patched remote code execution vulnerability in Microsoft Windows. This bug was originally discovered by...