Routers, NAS Devices, TVs Hacked at Pwn2Own Tokyo 2020
Bug bounty hunters have hacked routers, network-attached storage (NAS) devices and smart TVs at the Zero Day Initiative’s Pwn2Own Tokyo 2020 hacking competition.
Due to the COVID-19 pandemic, the competition has been turned into a virtual event and Pwn2Own Tokyo is actually coordinated by Trend Micro’s ZDI from Toronto, Canada, with participants demonstrating their exploits remotely.
Organizers have offered significant prizes for exploits targeting a wide range of mobile and IoT devices, but participants have only focused on routers, NAS products and TVs.
In total, participants were awarded $136,000 for 23 unique vulnerabilities across six different devices. Impacted vendors have been given 120 days to release patches before details are made public by ZDI.
A dozen teams and individuals signed up for this year’s Pwn2Own Tokyo. The winner was Team Flashback, which earned a total of $40,000 for hacking TP-Link AC175 and NETGEAR Nighthawk R7800 routers.
The second place team, named DEVCORE, earned $20,000 for successfully demonstrating an exploit against a Synology DiskStation DS418Play NAS product, and $17,500 for an exploit targeting a Western Digital My Cloud Pro Series PR4100 NAS device.
The Trapa Security team took home $20,000 for an exploit targeting the WD device, and $5,000 for a NETGEAR router hack. The same total amount was earned by the STARLabs team for exploits targeting the NETGEAR router and the Synology NAS device.
Participants also hacked Samgung and Sony smart TVs, but they didn’t earn any money since the vulnerabilities they leveraged had already been known.
At last year’s Pwn2Own Tokyo, participants earned a total of $315,000 for disclosing 18 vulnerabilities.
China’s Tianfu Cup hacking competition also took place over the weekend, with participants earning a total of over $1.2 million, including $180,000 for iPhone exploits, $180,000 for VMware ESXi exploits, and $80,000 for Samsung Galaxy S20 exploits.