Pwnie Awards 2020 winners include Zerologon, CurveBall, Checkm8, BraveStarr attacks
The winners of the 2020 Pwnie Awards were announced earlier today at the Black Hat Europe security conference.
The awards are to the cyber-security field what the Oscars and the Razzie awards, combined, are to the movie industry.
Each year, cyber-security professionals are invited to nominate and then vote for both the best and worst in their industry. This includes selecting the best and most ingenious vulnerabilities discovered over the past twelve months, but also the worst vendor responses and epic fails that have ended up putting users at risk.
For the past decade, the Pwnie Awards ceremony has taken place during the Black Hat USA security conference, each August, in a Las Vegas hotel, where organizers usually hand out plastic pony dolls with pink hair to the winners of their categories.
However, this year marked the first time since its inception that the Pwnie Awards was hosted in a virtual format and also moved to the European edition of the Black Hat conference, which usually takes place at the end of November and start of December. Reasons? The COVID-19 pandemic, of course.
But, without further ado, here are this year’s winners, along with links to their respective research, if available online:
- Best server-side bug: BraveStarr – a remote code exploit in the Telnet daemon on Fedora 31 servers.
- Best client-side bug: For a zero-click MMS attack on Samsung phones, bug discovered by the Google Project Zero team.
- Best privilege escalation bug: Checkm8 – an unpatchable hardware jailbreak for seven generations of Apple silicon.
- Best cryptography attack: Zerologon – a bug in Microsoft’s Netlogon authentication protocol that can be performed by adding adding a bunch of zero characters in certain Netlogon authentication parameters.
- Most innovative research: TRRespass – bypassing TRR protections on modern RAM cards to carry out Rowhammer attacks.
- Lamest vendor response: Daniel J. Bernstein – for mishandling a bug way back in 2005.
- Most under-hyped research: To Gabriel Negreira Barbosa, Rodrigo Rubira Branco (BSDaemon), Joe Cihula (Intel), for discovering CVE-2019-0151 and CVE-2019-0152 in Intel’s System Management Mode (SMM) and Trusted Execution Technology (TXT).
- Most epic fail: Microsoft for CurveBall, a bug in how the company implemented elliptic curve signatures on Windows, allowing for easy spoofing of HTTPS sites and legitimate apps.
- Epic achievement: To Guang Gong, a known Chinese bug hunter, for discovering CVE-2019-5870, CVE-2019-5877, CVE-2019-10567, three bugs that allowed remote takeovers of Android Pixel devices [see PDF].