🔒
There are new articles available, click to refresh the page.
Before yesterdayResearch - Companies

Our ICS-Themed Pwn2Own Contest Returns to Miami in 2022

25 October 2021 at 13:14

¡Bienvenidos de nuevo a Miami!

Our inaugural Pwn2Own Miami was held back in January 2020 at the S4 Conference, and we had a fantastic time as we awarded over $280,000 USD in cash and prizes for 24 unique 0-day vulnerabilities. At the time, we couldn’t wait to get back to South Beach for the next contest. Of course, the rest of 2020 happened, so those plans were put on hold. Today, we are excited to announce Pwn2Own Miami returns in person to S4 on January 25-27, 2022. As of now, we are planning on running the contest in Miami and hope to have contestants in the room with us. However, we know not everyone is ready to hit the road again, so we will also still allow remote participation.

This will be our first “hybrid” event with contestants participating locally (hopefully) and remotely. Even though we will be at the Fillmore, we realize not everyone can be there with us. If you have either travel restrictions or travel safety concerns, you can opt to compete remotely. You will still need to register before the contest registration deadline (January 21, 2022) and submit a detailed whitepaper completely explaining your exploit chain and instructions on how to run the entry. A member of the ZDI staff in Miami will run your exploit for you. All attempts will be filmed and available for viewing by the contestant and the vendor. As in the past, we will work with remote contestants to monitor the attempt in real-time via a phone call or video chat. Please note that since you are not in person, changes to exploits/scripts/etc. will not be possible, which could lower your chance of winning should something unexpected occur. Otherwise, the contest will run as we have in the past. We will have a random drawing to determine the schedule of attempts on the first day of the contest, and we will proceed from there.

This contest is not possible without the participation and help from our partners within the ICS community, and we would like to especially thank Schneider Electric, OPC Foundation, Inductive Automation, and Triangle Microworks for their expertise and guidance. Their cooperation is essential in ensuring we have the right categories and targets to create a meaningful test of the security of these products and protocols. Pwn2Own Miami seeks to harden these platforms by revealing vulnerabilities and providing that research to the vendors. The goal is always to get these bugs fixed before they’re actively exploited by attackers. These vendors have been instrumental in making that goal a reality.

The 2022 edition of Pwn2Own Miami has four categories:

- Control Server
- OPC Unified Architecture (OPC UA) Server
- Data Gateway
- Human Machine Interface (HMI)

Control Server Category

The Control Server category covers server solutions that provide connectivity, monitoring, and control across disparate Programmable Logic Controller (PLC) and other field systems. An attacker who took over a control server could alter the process in any way they wanted and would only be limited by their engineering and automation skills. The targets in this category include the control servers from Iconics and Inductive Automation.

An attempt in this category must be launched against the target’s exposed network services from the contestant’s laptop within the contest network or by opening a file within the target on the contest laptop. The files that are eligible to be opened must be file types that are handled by default by the target application.  A successful entry in the category must result in arbitrary code execution.

ControlServer.png

OPC UA Server Category

The OPC Unified Architecture (UA) is a platform-independent, service-oriented architecture that integrates all the functionality of the individual OPC Classic specifications into one extensible framework. OPC UA serves as the universal translator protocol in the ICS world. It is used by almost all ICS products to send data between disparate vendor systems. OPC UA was designed to be more secure than the previously used DCOM and is gaining in popularity. This category has four products: the Unified Automation C++ Demo Server, the OPC Foundation OPC UA .NET Standard, the Prosys OPC US SDK for Java, and the Softing Secure Integration Server.

A successful entry in the category must result either in a denial-of-service condition, arbitrary code execution or in a bypass of the trusted application check that occurs after the creation of a secure channel. These types of devices usually restrict who can connect, so bypassing the application check becomes a prime target for attackers.

OPC UA.png

Data Gateway Category

This category focuses on devices that connect other devices of varying protocols. There are two products in this category. The first is the Triangle Microworks SCADA Data Gateway product. Triangle Microworks makes the most widely used DNP3 protocol stack.  The other is the Kepware KEPServerEx server. KEPServerEX is an industry-leading connectivity platform that provides a single source of industrial automation data to multiple applications. 

A successful entry in the category must result in arbitrary code execution.

Data Gateway-b.png

Human Machine Interface (HMI)

If you’re familiar with ICS at all, you’ve likely heard of the Human Machine Interface (HMI) system. The HMI connects the operator of an ICS to the various hardware components of the ICS. Attackers that take over the HMI can also prevent the operator from seeing process issues in the ICS until it is too late. Our HMI category consists of the AVEVA Edge and the Schneider Electric EcoStruxure Operator Terminal Expert. 

A successful entry in this category must result in arbitrary code execution.

HMI.png

Master of Pwn

No Pwn2Own contest would be complete without crowning a Master of Pwn, and Pwn2Own Miami is no exception. Earning the title results in a slick trophy and brings with it an additional 65,000 ZDI reward points (instant Platinum status in 2023, which includes a one-time bonus estimated at $25,000).

For those not familiar with how it works, points are accumulated for each successful attempt. While only the first demonstration in a category wins the full cash award, each successful entry claims the full number of Master of Pwn points. Since the order of attempts is determined by a random draw, those who receive later slots can still claim the Master of Pwn title – even if they earn a lower cash payout.

As with previous contests, there are penalties for withdrawing from an attempt once you register for it. If a contestant decides to withdraw from the registered attempt before the actual attempt, the Master of Pwn points for that attempt will be divided by 2 and deducted from the contestant's point total for the contest. Since Pwn2Own is now often a team competition, along with the initial deduction of points, the same number of Master of Pwn points will also be deducted from all contestant teams from the same company.

The Complete Details

The full set of rules for Pwn2Own Miami 2022 are available here. They may be changed at any time without notice. We encourage entrants to read the rules thoroughly and completely should they choose to participate.

Registration is required to ensure we have sufficient resources on hand at the event. Please contact ZDI at [email protected] to begin the registration process. (Email only, please; queries via Twitter, blog post, or other means will not be acknowledged or answered.) If we receive more than one registration for any category, we’ll hold a random drawing to determine the contestant order. Again, this random drawing will not impact awards. Contest registration closes at 5:00 p.m. Eastern Standard Time on January 21st, 2022.

The Results

We’ll be live blogging and tweeting results throughout the competition. Be sure to keep an eye on the blog for the latest results. Follow us on Twitter at @thezdi and @trendmicro, and keep an eye on the #P2OMiami hashtag for continuing coverage.

We look forward to seeing everyone again in Miami, and we look forward to seeing what new exploits and attack techniques they bring with them.

Our ICS-Themed Pwn2Own Contest Returns to Miami in 2022

Adding a Beta NAS Device to Pwn2Own Austin

14 October 2021 at 20:26

Today, we are announcing the inclusion of the beta version of the Western Digital 3TB My Cloud Home Personal Cloud in our upcoming Pwn2Own Austin competition. Normally, devices under test are updated to the most recent publicly available patch level. This is still the case. However, our partners over at Western Digital wanted to include their upcoming beta software release in this year’s event. Consequently, we are adding the beta version as an available target in addition to the existing current version of the NAS device.

If a contestant can get code execution on the beta release of the Western Digital 3TB My Cloud Home Personal Cloud, they will earn $45,000 (USD) and 5 Master of Pwn points. There are some significant differences between the released software version and the beta version, so we suggest contestants upgrade their systems to test their exploits prior to the contest. To get the beta version installed on your NAS, you will need to enter your email address and the MAC address of your device in this form. Within a few hours, an automated process to update the NAS will begin. The updates will take you from 7.15.1-101 (current) to 7.16.0-216 and then the beta 8.0.0-301. Please note that not all features and applications included in the current version of the software release are available in the beta version.

Again, registration for the contest closes at 5:00 p.m. Eastern Daylight Time on October 29, 2021. A full copy of the rules – including this new change – is available here. They may be changed at any time without notice. We highly encourage potential entrants to read the rules thoroughly and completely should they choose to participate. If you have any questions, please forward them to [email protected].

We believe exploiting the beta version of this software will not be trivial, but we certainly hope some tries. We look forward to seeing all the attempts to learn about the latest exploits and attack techniques on these devices.

Good luck, and we’ll see you in Austin.

Adding a Beta NAS Device to Pwn2Own Austin

Pwn2Own Austin 2021: Phones, Printers, NAS, and more!

12 August 2021 at 15:00

If you just want to read the rules, you can find them here.

Since its inception, our Fall Pwn2Own contest has focused on consumer devices – even as the contest itself has wandered around the world. It started in Amsterdam in 2012 with just mobile phones. The next year, the contest moved to Tokyo to be held concurrently with the PacSec Applied Security conference and, over the years, grew to include TVs, wearable, and smart speakers. Last year, the contest moved to Toronto and expanded again to include Network Attached Storage (NAS) devices. For 2021, we’re on the move again. This year, we’ll be hosting Pwn2Own for our headquarters in Austin, Texas on November 2-4, 2021. For this year’s event, we’re growing again to reflect the home-office environment many currently find themselves in by expanding the router category and implementing the printer category. In all, we’ll have 22 devices available as targets and be offering more than $500,000 USD in prize money.

Similar to how we’ve conducted our last few Pwn2Own events, we will allow remote participation in this inaugural Pwn2Own Austin. As of now, we are planning on having contestants in person if possible. However, if you have either travel restrictions or travel safety concerns, you can opt to compete remotely. You will still need to register before the contest deadline (October 29, 2021) and submit a detailed whitepaper completely explaining your exploit chain and instructions on how to run the entry by November 1, 2021. A member of the ZDI staff in Austin will run your exploit for you. All attempts will be filmed and available for viewing by the contestant and the vendor. As in the past, we will work with remote contestants to monitor the attempt in real-time via a phone call or video chat. Please note that since you are not in person, changes to exploits/scripts/etc. will not be possible, which could lower your chance of winning should something unexpected occur.

Otherwise, the contest will run as we have in the past. We will have a random drawing to determine the schedule of attempts on the first day of the contest, and we will proceed from there. Our intention with allowing remote participation is to provide as many people as possible with the benefits of participating in Pwn2Own while still treating all contestants as equally as possible. As always, if you have questions, please contact us at [email protected]. We will be happy to address your issues or concerns directly.

As for the contest itself, we’re pleased to announce Western Digital has joined us as an Event Partner this year, offering three of its devices as targets. We’ve also signed on Synology to co-sponsor the competition. Western Digital and Synology devices will be prime targets for researchers. Both vendors had NAS devices featured in last year’s event, and we’re thrilled they decided to expand their participation in this year’s contest. Vendor participation remains a key component to the success of these contests. As with our other Pwn2Own competitions, Pwn2Own Austin seeks to harden these consumer-focused devices and their operating systems by revealing vulnerabilities and providing that knowledge to the vendors. As always, the goal is to get these bugs identified and fixed before they’re exploited by threat actors.

The Target Handsets

At its heart, Pwn2Own Austin (once known as Pwn2Own Mobile) looks at mobile phones, and our move to Texas doesn’t change this fact. Here are the target handsets for Pwn2Own Austin 2021:

Google Pixel 5
Samsung Galaxy S21
Apple iPhone 12

As always, these phones will be running the latest version of their respective operating systems with all available updates installed. We’ve increased the rewards on these targets to add further incentives on these handsets.

Printers, Network Attached Storage, Smart Speakers, Televisions, and More

Over the past few years, we’ve been expanding the targets to include more than just mobile phones. Last year, we introduced Network Attached Storage (NAS) devices. This year, we’re including printers as a target. Print spooler bugs have garnered much attention this summer, but what about the devices themselves? We’ll find out, as printers from HP, Lexmark, and Canon will be put to the test.

Here’s the full list of all devices included in this year’s event:

Printers:

HP Color LaserJet Pro MFP M283fdw
Lexmark MC3224i
Canon ImageCLASS MF644Cdw

Home Automation:

Portal from Facebook
Amazon Echo Show 10
Google Nest Hub (2nd Gen)
Sonos One Speaker
Apple HomePod mini

Televisions:

Sony X80J Series - 43”
Samsung Q60A Series – 43”

Routers:

TP-Link AC1750 Smart Wi-Fi Router
NETGEAR Nighthawk Smart Wi-Fi Router (R6700 AC1750)
Cisco RV340
Mikrotik RB4011iGS+RM
Ubiquiti Networks EdgeRouter 4

Network Attached Storage (NAS):

Synology DiskStation DS920+
Western Digital My Cloud Pro Series PR4100 
Western Digital 3TB My Cloud Home Personal Cloud

External Storage:

SanDisk Professional G-DRIVE ArmorLock SSD 1TB

As with the phones, these devices will be updated to the most recent patch level or system update, and all will be in their default configuration.

Pwn2Own Austin Challenges for 2021

Now that you know the devices available, let’s look at the different categories of challenges, starting with the mobile handsets.

Mobile Phone Category

In this category, contestants must compromise the device by browsing to web content in the default browser for the target under test or by communicating with the following short distance protocols: near field communication (NFC), Wi-Fi, or Bluetooth. The awards for this category are:

Phone_Table.png

This category also includes an add-on bonus. If your exploit payload executes with kernel-level privileges, you earn an additional $50,000 and 5 more Master of Pwn points. That means a full iPhone or Pixel browser exploit with kernel-level access will earn $200,000.

Challenges Involving Other Devices

This is our fourth year including other types of consumer and home automation devices, and each year brings new research that exceeds our expectations. Last year we saw NAS devices compromised as a part of the contest. They return along with an expanded routers list and the aforementioned printers. It should be a great contest.

Printer Category

An attempt in this category must be launched against the target’s exposed network services from the contestant’s device. Three of the most popular LaserJet printers are included in this year’s event.

Printer_Table.png

NAS Category

This is the second year for NAS devices at Pwn2Own, and both Synology and Western Digital have returned with their latest offerings. An attempt in this category must be launched against the target’s exposed network services from the contestant’s laptop within the contest network. 

NAS_Table2.png

For details about the 3TB My Cloud Home Personal Cloud from WD - firmware version 8.xx.xx-xxx (Beta), see the supplemental blog here.

External Storage Category

While not as complex as a NAS server, external storage devices offer a tempting target for attackers. This year’s contest adds a single device in this category. An attempt in this category must be launched against the target’s exposed interfaces and result in arbitrary code execution.   

Drive_Table.png

Home Automation Category

Smart speakers continue to play a large part in our daily interactions with music, news, and more. Pwn2Own Austin has five targets available in this category.

Speaker_Table-2.png

Router Category

Past successful entries in this category have demonstrated some flair by having the LED lights flash in different patterns. This year, we add some more sophisticated routers to the list. An attempt in this category must be launched against the target’s exposed network services from the contestant’s device within the contest network.

Router_Table-2.png

Contestants can register for attempts against the WAN interface, the LAN interface, or both interfaces on the same device.

Television Category

These days, it’s difficult to find a television set that doesn’t include a web browser and network applications. Pwn2Own Austin 2021 has two devices under test this year.

TV_Table.png

Master of Pwn

No Pwn2Own contest would be complete without crowning a Master of Pwn, which signifies the overall winner of the competition. Earning the title results in a slick trophy, a different sort of wearable, and brings with it an additional 65,000 ZDI reward points (instant Platinum status in 2022).

For those not familiar with how it works, points are accumulated for each successful attempt. While only the first demonstration in a category wins the full cash award, each successful entry claims the full number of Master of Pwn points. Since the order of attempts is determined by a random draw, those who receive later slots can still claim the Master of Pwn title – even if they earn a lower cash payout. As with previous contests, there are penalties for withdrawing from an attempt once you register for it. If the contestant decides to remove an Add-on Bonus during their attempt, the Master of Pwn points for that Add-on Bonus will be deducted from the final point total for that attempt. For example, someone registers for the Apple iPhone 12 in the Browser category with the Kernel Bonus Add-on. During the attempt, the contestant drops the Kernel Bonus Add-on but completes the attempt. The final point total will be 10 Master of Pwn points.

The Complete Details

The full set of rules for Pwn2Own Austin 2021 can be found here. They may be changed at any time without notice. We highly encourage potential entrants to read the rules thoroughly and completely should they choose to participate.

Registration is required to ensure we have sufficient resources on hand at the event. Please contact ZDI at [email protected] to begin the registration process. (Email only, please; queries via Twitter, blog post, or other means will not be acknowledged or answered.) If we receive more than one registration for any category, we’ll hold a random drawing to determine the contest order. Registration closes at 5:00 p.m. Eastern Daylight Time on October 29, 2021.

The Results

We’ll be blogging and tweeting results in real-time throughout the competition. We’ll also be broadcasting the event live on Twitch and YouTube. Be sure to keep an eye on the blog for the latest information. Follow us on Twitter at @thezdi and @trendmicro, and keep an eye on the #P2OAustin hashtag for continuing coverage.

We look forward to seeing everyone in Austin and online, and we look forward to seeing what new exploits and attack techniques they bring with them.

With special thanks to our Pwn2Own Austin 2021 partner Western Digital for providing their hardware and support. Thanks also go to our Pwn2Own Austin 2021 sponsor, Synology, for providing their assistance and technology.

WesternDigital_Logo_1L_B[1].jpg

©2021 Trend Micro Incorporated. All rights reserved. PWN2OWN, ZERO DAY INITIATIVE, ZDI, and Trend Micro are trademarks or registered trademarks of Trend Micro Incorporated. All other trademarks and trade names are the property of their respective owners.

Pwn2Own Austin 2021: Phones, Printers, NAS, and more!

Announcing Pwn2Own Vancouver 2021

26 January 2021 at 15:59

Jump to the contest rules (updated as of March 15, 2021)

This year marks the 14th anniversary of Pwn2Own, which has grown from a small, browser-focused event to become one of the most well-known security contests in the industry, with millions of dollars of cash and prizes made available to contestants over the years. Every year the contest changes a bit as we reflect on the changing world around us. As cloud computing grew, we added the Virtualization category. In 2019, we added the Automotive category. For this year’s event, we’re adding the Enterprise Communications category. 

As the workforce moves out of the office and goes remote, the tools needed to support that change become greater targets. That’s one reason we added this new category and teamed up with Zoom to have them in the contest. Microsoft Teams will also be a target. A successful demonstration of an exploit in either of these products will earn the contestant $200,000 – quite the payout for a new category. Tesla returns for this year’s contest but driving off with a brand-new Model 3 will be more of a challenge this year. Of course, that means the rewards are greater as well, with the top prize going for $600,000 (plus the car itself). Also new this year, Adobe joins as a partner for 2021. Their applications have been a frequent target in past contests, so it’s great to see their increased investments into community research.

For 2021, we’ll have a bit of a hybrid contest. Starting on April 6 and running through April 8, 2021, we’ll have ZDI staff in Toronto and Austin running the exploits. Contestants can be anywhere in the world and won’t need to travel. As we did with our fall event, everything will be live-streamed on Twitch, YouTube, and more. All told, more than $1,500,000 USD in cash and prizes are available to contestants, including the Tesla Model 3, in the following categories:

-- Virtualization Category
-- Web Browser Category
-- Enterprise Applications Category
-- Server Category
-- Local Escalation of Privilege Category
-- Enterprise Communications Category
-- Automotive Category

And, of course, Pwn2Own would not be complete without us crowning a Master of Pwn. Since the order of the contest is decided by a random draw, contestants with an unlucky draw could still demonstrate fantastic research but receive less money since subsequent rounds go down in value. However, the points awarded for each successful entry do not go down. Someone could have a bad draw and still accumulate the most points. The person or team with the most points at the end of the contest will be crowned Master of Pwn, receive 65,000 ZDI reward points (instant Platinum status), a killer trophy, and a pretty snazzy jacket to boot.

Let's take a look at the details of the rules for this year's contest.

Virtualization Category

Cars aren’t the only thing providing a big payout this year. VMware returns as a Pwn2Own sponsor for 2021, and this year, again we’ll have VMware ESXi alongside VMware Workstation as a target with awards of $150,000 and $75,000 respectively. Microsoft returns as a target for 2021 and leads the virtualization category with a $250,000 award for a successful Hyper-V Client guest-to-host escalation. Oracle VirtualBox and Pwn2Own newcomer Parallels Desktop round out this category with a prize of $40,000 for either. Cloud computing relies on virtualization, as do many other critical computing functions. We’ve seen guest-to-host OS escalations in previous Pwn2Own contests. Here’s hoping we see more this year.

Virtualization3.png

Rules updated as of March 15, 2021

For Oracle VirtualBox, VMware Workstation, and Microsoft Hyper-V Client, the guest operating system will be running Microsoft Windows 10 20H2 x64 or Ubuntu 20.10 for Desktop and the host operating system will be running Microsoft Windows 10 20H2 x64. For Parallels Desktop, the guest operating system will be running Microsoft Windows 10 20H2 x64 or Ubuntu 20.10 for Desktop and the host operating system will be running Apple macOS Big Sur. For VMware ESXi, the guest operating system will be running Microsoft Windows 10 20H2 x64 or Ubuntu 20.10 for Desktop. Certain optional components, such as RemoteFX, Legacy Network Adapter (Generation 1), and Fibre Channel Adapter, are not considered default and will be out of scope for the Microsoft Hyper-V Client target.

There’s an add-on bonus in this category as well. If a contestant can escape the guest OS, then escalate privileges on the host OS through a Windows kernel vulnerability (excluding VMware ESXi and Parallels Desktop), they can earn an additional $40,000 and 4 more Master of Pwn points. 

Back to categories

Web Browser Category

Web browsers are the “traditional” Pwn2Own target, but this year, we’re adding a few wrinkles in that category. First, for Google Chrome and Microsoft Edge (Chromium), a successful demonstration no longer requires a sandbox escape. Renderer-only exploits will earn $50,000, but if you have that sandbox escape or Windows kernel privilege escalation, that will earn you $150,000. If your exploit works on both Chrome and Edge, it will qualify for the “Double Tap” add-on of $50,000. The Windows-based targets will be running in a VMware Workstation virtual machine. Consequently, all browsers (except Safari) are eligible for a VMware escape add-on. If a contestant is able to compromise the browser in such a way that also executes code on the host operating system by escaping the VMware Workstation virtual machine, they will earn themselves an additional $75,000 and 8 more Master of Pwn points. Full exploits are still required for Apple Safari and Mozilla Firefox.

Browsers.png

Back to categories

Enterprise Application Category

Enterprise applications also return as targets with Adobe Reader and various Office components on the docket. Prizes in this category run from $40,000 for a Reader exploit with a sandbox escape, $50,000 for a Reader exploit with a Windows kernel privilege escalation, and $100,000 for an Office 365 application. Word, Excel, and PowerPoint are all valid targets. There’s a better than average chance that you use one (or more) of these applications in your average day, making this category relevant to nearly everyone with a computer.

Enterprise Apps.png

The Office targets will be running Microsoft Office 365 ProPlus x64 (Monthly Channel) on Windows 10 x64.  Microsoft Office-based targets will have Protected View enabled.  Adobe Reader will have Protected Mode enabled.

Back to categories

Server Category

For 2021, we are expanding the Server category by adding Microsoft Exchange and SharePoint. Both of these servers were targeted by attackers over the last year. We’re also increasing the award for RDP/RDS entries to $200,000 for a full exploit. Attacks that require authentication will not be counted as a full win. As always, attempts in this category must be launched from the contestant’s laptop within the contest network. 

Servers.png

Back to categories

Local Escalation of Privilege Category

This category is a classic for Pwn2Own and focuses on attacks that originate from a standard user and result in executing code as a high-privileged user. This is a common tactic for malware and ransomware, so these bugs are highly relevant. In this category, the entry must leverage a kernel vulnerability to escalate privileges. Ubuntu Desktop and Microsoft Windows 10 are the two OSes available as targets in this category. 

EoP.png

Back to categories

Enterprise Communications Category

Our newest category focuses on tools that we have come to rely on as we evolved into a remote workforce. Zoom has become a partner for their inaugural Pwn2Own, and we’re happy to have them on board. A successful attempt in this category must compromise the target application by communicating with the contestant. Example communication requests could be audio call, video conference, or message. Both Zoom and Microsoft Teams have a $200,000 award available, so we’re hoping to see some great research.

Enterprise Communication.png

Back to categories

Automotive Category

We introduced the Automotive category in 2019, and we are excited to have Tesla return as a partner for 2021. Due to the virtualized nature of last year’s contest, we weren’t able to have any attempts, so we’re excited to have the opportunity this year. However, we wanted to raise the level of complexity for this year’s event. Tesla vehicles are equipped with multiple layers of security, and for 2021, there are three different tiers of awards within the Automotive category that corresponds to some of the different layers of security within a Tesla car, with additional prize options available in certain instances.

Tier 1 earns the top prizes and represents a complete vehicle compromise. Correspondingly, this also has the highest award amounts. To win this level, a contestant will need to pivot through multiple systems in the car, meaning they will need a complex exploit chain to get arbitrary code execution on three different sub-systems in the vehicle. Success here gets a big payout and, of course, a brand-new Tesla Model 3.   

Tesla Tier 1-2.png

In addition to the vehicle itself and $500,000, contestants can go for the additional options to raise the payout to $600,000. This represents the single largest target in Pwn2Own history. If someone is able to do this, it would also mean 70 total Master of Pwn points, which is nearly insurmountable. Here’s some additional info on the optional add-ons.

Tesla AddOn.png

Again, it’s hard to express the difficulty in completing such a demonstration, but we’re certainly hopeful that someone is able to show off their exploit skills.

Tier 2 in this category is not quite as complex but still requires the attacker to pivot through some of the vehicle’s sub-systems. This level requires the contestant to get arbitrary code execution on two different sub-systems in the vehicle, which is certainly a difficult challenge. If you include the optional targets, the largest payout for Tier 2 would be $500,000. A winning entry in Tier 2 would still be a pretty impressive and exciting demonstration and includes driving off with the Model 3.

Tesla Tier 2.png

The targets in Tier 3 could prove to be just as difficult, but you only need to compromise one sub-system for a win here, which is still no easy task. Not every instance within Tier 3 includes winning the car. To drive away with a Tier 3 prize, a contestant would need to target one of the entries marked “Vehicle Included” in the table below.

Tesla Tier 3-2.png

Conclusion

The complete rules for Pwn2Own 2021 are found here. As always, we encourage entrants to read the rules thoroughly if they choose to participate. If you are thinking about participating but have a specific configuration or rule-related questions, email us. Questions asked over Twitter or other means will not be answered. Registration is required to ensure we have sufficient resources on hand at the event. Please contact ZDI at [email protected] to begin the registration process. Registration closes at 5 p.m. Pacific Time on April 2, 2021.

Update as of March 15: If you have either travel restrictions or travel-safety concerns, you can choose to opt for remote participation. You still need to register before the contest deadline (April 2nd, 2021). You will also need to send the entry, a detailed whitepaper completely explaining your exploit chain, and instructions on how to run the entry by 5:00 p.m. Pacific Time on April 4th, 2021. A member of the ZDI staff will run the exploit for you. All attempts will be filmed and available for viewing by you. If requested, we will work with remote contestants to monitor the attempt in real-time via a phone call or video chat. Please note that since you are not in person, changes to exploits/scripts/etc. will not be possible, which could lower your chance of winning should something unexpected occur.

Be sure to stay tuned to this blog and follow us on Twitter for the latest information and updates about the contest. We look forward to seeing everyone wherever they may be, and we hope someone has a sweet ride home from this year’s Pwn2Own competition.

 With special thanks to our Pwn2Own 2021 Partners Tesla, Zoom, and Adobe.

Zoom - Blue.png

Adobe_Corporate_Horizontal_Lockup_Red_HEX.png

Thanks also to our Pwn2Own 2021 Sponsor

1000px-Vmware.svg.png

©2021 Trend Micro Incorporated. All rights reserved. PWN2OWN, ZERO DAY INITIATIVE, ZDI and Trend Micro are trademarks or registered trademarks of Trend Micro Incorporated. All other trademarks and trade names are the property of their respective owners.

Announcing Pwn2Own Vancouver 2021

Looking Back at the Zero Day Initiative in 2020

14 January 2021 at 14:00

As we enter 2021, now is a good time to look back at what the Zero Day Initiative has accomplished during the past year. Although it was a year filled with challenges, 2020 was the busiest year in the history of the program. We began by hosting a completely new edition of Pwn2Own. The inaugural Pwn2Own Miami saw researchers test their exploits against Industrial Control Systems (ICS) and SCADA products. As successful as that event was, it ended up being the only physical contest we held in 2020. With the spread of COVID-19, holding an event in person was no longer an option. Undaunted, we held our first virtual Pwn2Own Vancouver in March. We followed that up with Pwn2Own Tokyo (Live from Toronto) in November, where we streamed the contest live demonstrated some great exploits from researchers around the world.

In 2020, we did a little reflecting on the history of our program as we celebrated 15 years of purchasing vulnerabilities. We’ve gone from buying just a single bug in 2005 to more than 8,000 bugs over that time. Last year we moved into some new vulnerability categories as well. Historically, we do not buy bugs in hardware, but in 2020, we ended up buying 41 bugs in wireless routers. We also expanded our purchasing of local privilege escalation and denial-of-service bugs. In February, we expanded our Targeted Initiative Program (TIP) by creating special incentives for bugs impacting Trend Micro products. 

The quality of the research submitted to the program continues to amaze us. We already listed our Top 5 bugs of 2020, but those just scratch the surface of the submissions in 2020. We could not do what we do without the input and talent of our global community of independent researchers. Their work and submissions are key to our success, and we thank them for their continued trust in our program. Our program also wouldn’t work without vendors generating and releasing fixes for the vulnerabilities we report to them. The ZDI would not be able to sustain this level of advisories – and thus, better protections for Trend Micro customers – without the contributions of researchers and vendors, and we thank them for all they do.

By the Numbers

As of now, the ZDI has published 1,453 advisories for 2020 – the most ever in the history of the program. We usually see some notifications from vendors early in the new year of vulnerabilities patched late in the previous year (but where advisories were not coordinated). Because of this, the actual number of 2020 advisories may eventually increase. We’ll update this blog with the final numbers when we have them. Here’s how that number of advisories stacks up year-over-year.

Figure 1 - Published Advisories Year-Over-Year

Figure 1 - Published Advisories Year-Over-Year

Coordinated disclosure of vulnerabilities continues to be a successful venture. However, 2020 saw our largest percentage of 0-day disclosures ever with 18.6% of all our disclosures published without a fix from the vendor. The sector that has the most difficulty meeting our disclosure timelines continues to be ICS/SCADA vendors, but they were joined by enterprise software vendors like Microsoft and HPE and hardware manufacturers D-Link and NETGEAR. Still, we were able to successfully coordinate 1,138 advisory releases in 2020, which is greater than the total number of advisories released in 2019. 

Figure 2 - 0-day Disclosures Since 2005

Figure 2 - 0-day Disclosures Since 2005

Here’s a breakdown of advisories by vendor. The top vendors really should not be shocking. What is somewhat surprising is the amount of “All Others” once you get past the top 20. That’s up 5% year-over-year and shows we are acquiring vulnerabilities in a wide array of vendors and products.

Figure 3 - Advisories per vendor for 2020

Figure 3 - Advisories per vendor for 2020

We’re always looking to acquire impactful bugs and, looking at the CVSS scores for the advisories we published in 2020, we did just that. A total of 80% of these vulnerabilities were rated Critical or High severity.

Figure 4 - CVSS 3 Scores for 2020

Figure 4 - CVSS 3 Scores for 2020

Here’s how that compares to the previous five years.

Figure 5 - CVSS Scores from 2015 Through 2020

Figure 5 - CVSS Scores from 2015 Through 2020

As you can see, after 2018 we made a conscious effort to ensure we were acquiring vulnerabilities that have the greatest impact to our customers. We expect this trend to continue. 

Looking Ahead

Moving into 2021, we anticipate we will remain as busy as ever. We currently have more than 500 bugs reported to vendors awaiting disclosure. That gets us a third of the way to publishing 1,500 advisories, which is not out of the question. There won’t be a Pwn2Own Miami in 2021, but we will have events in the spring and in the fall. Hopefully one or both can even be in person. Regardless, we’ll be streaming these contests moving forward, so if you ever wanted to attend Pwn2Own but couldn’t, you can now watch them online.

The ZDI vulnerability researchers will continue to be busy, as well. In 2020, roughly 20% of the advisories were cases submitted by ZDI researchers. When they aren’t reviewing submissions, ZDI researchers are usually found hunting their bugs, and they are pretty good at it. One of our big focus areas for research is in virtualization technologies. Over the past year, ZDI researchers have found 44 bugs that impact various virtualization products. This includes four remote code execution bugs in VMware ESXi discovered by ZDI Vulnerability Researcher Lucas Leong. We’ll be publishing more details about these bugs and the exploit he wrote using them once the fixes roll out.

Speaking if blogging, for the second year in a row, we published more than 60 blogs throughout the year, and we hope to keep that pace up moving forward. Expect patch blogs, exploit demonstrations, and more from the MindShaRE series. We’ve already published the first of those. This year, we’ll also be blogging more about what exploits and trends we’re detecting in the wild. In other words, 2021 is shaping up to be another exciting year with impactful research, great contests, and real information you can use. We hope you come along for the ride. Until then, be well, stay tuned to this blog, subscribe to our YouTube channel, and follow us on Twitter for the latest updates from the ZDI. 

Looking Back at the Zero Day Initiative in 2020

  • There are no more articles
❌