Hackers win nearly $1 million in device-focused Pwn2Own contest

Hackers win nearly $1 million in device-focused Pwn2Own contest

Security researchers and hackers demonstrated 63 zero-day vulnerabilities in popular devices during the latest Pwn2Own, exploiting printers from Canon, HP, and Lexmark, as well as routers and network-attached storage devices from Synology and Netgear.

According to Trend Micro’s Zero Day Initiative (ZDI), which ran the contest last week, the collection of vulnerabilities earned $989,750 for offensive cybersecurity specialists participating in the contest. While some attacks chained a series of exploits to take control of remote devices, including one that used five vulnerabilities, others found a single security flaw to target, such as the Pentest Limited team, which found a One-click reliable exploit in Samsung Galaxy S22 mobile phone which took less than a minute to attack.

Samsung’s exploit highlighted significant vulnerabilities yet to be discovered, says Dustin Child, threat awareness manager at Trend Micro’s Zero Day Initiative.

“Just click a link on an affected device and you become the owner,” he says. “This is also a very reliable bug. Very impressive research and a pretty good demonstration of why clicking unknown links can be dangerous.”

Focus on IoT and mobile

Pwn2Own began in 2007 as an annual competition linked to the annual CanSecWest conference, but has since branched out into two competitions: one focused on computer operating systems and applications, and the other – which includes the latest competition – focused on devices and the Internet of Things.

Over the four days of the contest, offensive cybersecurity specialists uncovered a significant number of vulnerabilities in printers and routers from major brands, but also targeted Bluetooth speakers and network-attached storage, ZDI said in a summary of the results of the competition.

Since many devices are commonly used by small and medium-sized businesses (SMBs), companies should take the competition results as a wake-up call, Child says.

“If anything, SMBs need to understand that while they may not feel like they’re big enough to be a target, their devices can and will be targeted by threat actors,” he said. “TO [this] Sometimes attackers are just looking to add nodes to their botnet, but whatever the intent, the devices we rely on for business can be compromised if left unprotected. »

Buffer overflows keep seeping in

Unfortunately, one class of vulnerabilities that continues to represent a fertile ground for attackers to exploit is memory security vulnerabilities, such as buffer overflows. While major software vendors have started using memory-safe programming languages ​​to avoid memory-related issues, many device manufacturers are still lagging behind.

Many of the vulnerabilities discovered in the contest were buffer overflows, Child says.

“This form of memory corruption has been known for a while, so we were a bit surprised to see it still prevalent in multiple devices,” he says.

Among the most targeted devices were printers, with Lexmark, HP and Canon printers being among those favored by participants. While routers also made up a large share of targeted devices, they reportedly saw more abuse this year, except last-minute fixes from Netgear and TP-Link eliminated targeted weaknesses, forcing competitors out. of competition, says Child.

Reading the Mario theme on a Lexmark

Some of the printer’s exploits showed additional creativity. In the past, hackers would simply exploit a system and force it to run Microsoft Paint or call a calculator application to demonstrate their potential to execute arbitrary code. In the latest Pwn2Own, however, successful hackers displayed Pokemon or another anime character on the small printer monitor screen.

Perhaps most impressively, the Horizon3 AI team used the system alert sound on a Lexmark printer to play the Mario theme, even though the device lacks this feature.

“Since the printer doesn’t have a speaker, we didn’t expect it to play a song, but they modulated the beep frequency to add the music feature,” Child says.

Data management vendors Synology and online giant Google both co-sponsored the competition.

#Hackers #win #million #devicefocused #Pwn2Own #contest

Leave a Comment

Your email address will not be published. Required fields are marked *