At this year’s Pwn2Own hacking competition in Vancouver, participants uncovered vulnerabilities in Microsoft Teams, Windows 11, Firefox, Safari, VirtualBox and Ubuntu. A Tesla Model 3 was also hacked.
At the end of last week, the Pwn2Own hacker competition took place for the 15th time in Vancouver, Canada. The organizer was Trend Micro’s Zero Day Initiative (ZDI), supported by partners and sponsors such as Microsoft, Tesla, Zoom and VMware. The 17 participants showed 21 attempts to exploit a total of 25 previously unknown vulnerabilities in the provided products. Almost all attempts were successful and prize money totaling US$1,155,000 was paid out.
One of the main targets of the hackers was Microsoft Teams. Four of the participating groups and individuals attempted it and three were successful. With a total of 450,000 dollars, more than a third of the prize money was distributed for teams hacks. Windows 11 also got under the wheels several times. Six out of seven attempts worked, each bringing in prize money of $40,000.
Linux was also represented as a target, more precisely the current Ubuntu Desktop. Here, all five exploit attempts were crowned with success and yielded a total of $200,000 in prize money. Only the STAR Labs team tried VirtualBox and received $40,000 for their hack.
▶The latest security updates
Only Manfred Paul (
) from the Bonn RedRocket Club, but without being there themselves. Paul used two vulnerabilities in Firefox, including a sandbox breakout, and one in Safari to win $150,000. As always, Mozilla reacted very quickly and released security updates (Firefox 100.0.2, Firefox EST 91.9.1) on Friday, before the end of the competition, to eliminate the vulnerabilities. Shortly before the competition, Apple released an update to Safari 15.5.
Synactive Team vs. Tesla Infotainment
© Trend Micro ZDI
The Tesla Model 3’s Chromium-based infotainment system didn’t have much to offer the Synacktiv team. They combined two new bugs with a known sandbox breakout and received $75,000 for it. It only took them a minute. The two Frenchmen were there and later, for a demonstration,
with the notebook next to the vehicle
standing, turn on the windshield wipers and the lights and unlock the hood. The second participant, who had tried the Tesla, failed because of the time limit. After all, ZDI bought the exploit to pass it on to Tesla.
Master of Pwn
The STAR Labs team from Singapore brought most of the exploits with them. They hacked Microsoft Teams, Windows 11, Ubuntu and VirtualBox. This earned them overall victory in the competition, the title of Master of Pwn, and a total of $270,000 in prize money. Three participants, each with $150,000 in prize money, ended up in first place, including Manfred Paul. Traditionally, contestants also win the devices that ran the successful exploits.
Part of the Pwn2Own competition is that all information on the exploits used is handed over to the product manufacturers on site. They then have 90 days to fill in the gaps before ZDI publishes the details.