Normal view

There are new articles available, click to refresh the page.
Before yesterdayZero Day Initiative - Blog

The SOHO Smashup Returns for Pwn2Own Toronto 2023

13 July 2023 at 15:09

If you just want to read the rules, you can find them here.

Our consumer-focus Pwn2Own event return to Toronto for 2023. The contest will be held at the Trend Micro office in Toronto on October 24-27. We had a great event last year, and we’re looking forward to another exciting contest. One of the things that made it so great was having so many of the competitors hanging out all day. We had so many fantastic discussions with talented researchers, and in-person attendance was key to that experience. While we are still allowing remote participation, we’ll be reimbursing up to $3,000 for travel expenses for former Pwn2Own winners that choose to come to Toronto to participate. We also will be able to host a limited audience for those who wish to attend and observe the contest, so look out for more information about that in the future.

If you can’t be in Toronto due to travel restrictions or travel safety concerns, you can opt to compete remotely. You will still need to register before the contest deadline (October 19, 2023) and submit your entry, a detailed whitepaper completely explaining your exploit chain, and instructions on how to run the entry by the end of the registration period. A member of the ZDI staff will run your exploit for you. All attempts will be filmed and available for viewing by the contestant and the vendor. As in the past, we will work with remote contestants to monitor the attempt in real-time via a phone call or video chat. Please note that since you are not in person, changes to exploits/scripts/etc. will not be possible, which could lower your chance of winning should something unexpected occur.

As for the contest itself, we’re pleased to announce the return of Synology as a co-sponsor of the event. We’re also excited to announce the return of the “SOHO Smashup” category, where the contestants must start on the external interface of a router, compromise the router, then pivot to another device connected to the network. Last year, the DEVCORE team was the first to succeed in this category by using two different stack-based buffer overflow attacks against a Mikrotik router and a Canon printer – winning $100,000 in the process. We’re also bringing cameras back into the contest under the surveillance category. You may notice we’ve eliminated the router category. We still want to find bugs in these devices, but we’re focusing on the WAN interface in the SOHO Smashup rather than just the LAN interface. Beyond that, the contest remains similar to the event we had last year. We awarded $989,750 during the 2022 event. We’ll see if we can eclipse $1,000,000 this year.

UPDATE: As of September 18, we’re happy to announce Google has also signed on to be a partner for this year’s event. We’ve worked with Google in the past on other Pwn2Own competitions, and we’re happy to include some of their products in a special “Google Devices” category.

As always, we’ll have a random drawing to determine the schedule of attempts on the first day of the contest, and we will proceed from there. Our intention with allowing remote participation is to provide as many people as possible with the benefits of participating in Pwn2Own while still treating all contestants as equally as possible. As always, if you have questions, please contact us at [email protected] (note the new address). We will be happy to address your issues or concerns directly.

Now on to the specific target categories. We’ll have seven different categories for this year’s event:

- Mobile Phones
- The SOHO Smashup
- Surveilance Systems
- Home Automation Hubs
- Printers
- Smart Speakers
- NAS Devices
- Google Devices

Let’s take a look at each category in more detail, starting with mobile phones.

The Target Phones

The original name for this event was “Mobile Pwn2Own” and our focus was strictly on phones. Mobile handsets remain at the heart of this event. As always, these phones will be running the latest version of their respective operating systems with all available updates installed. We’ve increased the rewards on these targets to add further incentives to these handsets.

In this category, contestants must compromise the device by browsing to content in the default browser for the target under test or by communicating with the following short-distance protocols: near field communication (NFC), Wi-Fi, or Bluetooth. The awards for this category are:

The Google and Apple devices in this category also include an add-on bonus. If your exploit payload executes with kernel-level privileges, you earn an additional $50,000 and 5 more Master of Pwn points. That means a full exploit chain that includes kernel-level access will earn $300,000 for the iPhone and $250,000 for the Pixel.

Back to top

The SOHO Smashup

With many working from home, enterprises have found their network perimeter relocate to the home office. Threat actors exploiting home routers and consumer devices can use these as a launch point for lateral movements into enterprise resources. We wanted to demonstrate this during the contest, so we’re bringing back the SOHO Smashup category to show how this could happen. Contestants will need to first compromise the WAN port on a selected router. Once they accomplish that, they will need to pivot to one of the other devices and compromise it as well. The contestant is free to select any combination of router and home automation hub, smart speaker, printer, surveillance systems, or network-attached storage device during the registration process – although you won’t have some of the same easy targets as last year. If they get both devices within 30 minutes, they earn $100,000 and 10 Master of Pwn points. We’re hopeful multiple teams will use this category to choose their own (mis)adventure.

Back to top

Surveillance Systems

Cameras have become an everyday part of our world, with wireless cameras operating in homes, offices, and stores. Notwithstanding privacy questions, the security of these devices could prove a tempting treat for attackers. An attempt in this category must be launched against the target’s exposed network services or target’s exposed features from the contestant’s laptop within the contest network.

Back to top

Home Automation Hubs

Many of the cameras and other “smart” devices are connected to a centralized hub. From lights to locks to thermostats, cameras, and more, all can be accessed through a home automation hub. Of course, that means a threat actor could potentially access them as well. Some of the most popular smart hubs are included in this year’s event.

Back to top

The Return of Printers

Exploits involving printers have made quite a bit of news over the last few years, with ransomware gangs incorporating PrintNightmare bugs in their exploit kits. During last year’s event, one printer ended up playing the theme to Mario. It will be interesting to see what exploits the contestants come up with this year.

Back to top

Smart Speakers

Smart speakers continue to play a large part in our daily interactions with music, news, and more. They also offer an attack surface for threat actors to target. For this event, Pwn2Own Toronto has four targets available in this category.

Back to top

Network Attached Storage (NAS) Devices

NAS devices make their return to Pwn2Own, and both Synology and Western Digital have returned as targets. We’re also adding the TS-464 from QNAP to this group. An attempt in this category must be launched against the target’s exposed network services from the contestant’s laptop within the contest network.

Back to top

Google Devices

In addition to the added Google devices in the Surveillance and SOHO Smashup categories, we have a couple of extra targets specifically requested to be added by Google. An attempt in this category must be launched against the target’s exposed network services or the target’s exposed features from the contestant’s laptop within the contest network. 

Back to top

Master of Pwn

No Pwn2Own contest would be complete without crowning a Master of Pwn, which signifies the overall winner of the competition. Earning the title results in a slick trophy, a different sort of wearable, and brings with it an additional 65,000 ZDI reward points (instant Platinum status in 2024).

For those not familiar with how it works, points are accumulated for each successful attempt. While only the first demonstration in a category wins the full cash award, each successful entry claims the full number of Master of Pwn points. Since the order of attempts is determined by a random draw, those who receive later slots can still claim the Master of Pwn title – even if they earn a lower cash payout. As with previous contests, there are penalties for withdrawing from an attempt once you register for it. If the contestant decides to remove an Add-on Bonus during their attempt, the Master of Pwn points for that Add-on Bonus will be deducted from the final point total for that attempt. For example, someone registers for the Apple iPhone 14 with the Kernel Bonus Add-on. During the attempt, the contestant drops the Kernel Bonus Add-on but completes the attempt. The final point total will be 20 Master of Pwn points.

The Complete Details

The full set of rules for Pwn2Own Toronto 2023 can be found here. They may be changed at any time without notice. We highly encourage potential entrants to read the rules thoroughly and completely should they choose to participate. We also encourage contestants to read this blog covering what to expect when participating in Pwn2Own.

Registration is required to ensure we have sufficient resources on hand at the event. Please contact ZDI at [email protected] to begin the registration process. (Email only, please; queries via social media, blog post, or other means will not be acknowledged or answered.) If we receive more than one registration for any category, we’ll hold a random drawing to determine the contest order. Registration closes at 5:00 p.m. Eastern Daylight Time on October 19, 2023.

The Results

We’ll be blogging and tweeting results in real-time throughout the competition. Be sure to keep an eye on the blog for the latest information. Follow us on Twitter at @thezdi and @trendmicro, and keep an eye on the #P2OToronto hashtag for continuing coverage.

We look forward to seeing everyone in Toronto and online, and we look forward to seeing what new exploits and attack techniques they bring with them.

With special thanks to our Pwn2Own Toronto 2023 sponsors, Synology and Google, for providing their assistance and technology.

©2023 Trend Micro Incorporated. All rights reserved. PWN2OWN, ZERO DAY INITIATIVE, ZDI, and Trend Micro are trademarks or registered trademarks of Trend Micro Incorporated. All other trademarks and trade names are the property of their respective owners.

Revealing the Targets and Rules for the First Pwn2Own Automotive

29 August 2023 at 15:04

If you just want to read the rules, you can find them here.

 

Earlier this year, I announced the ZDI, along with our cohorts at VicOne, will host a new Pwn2Own contest focused on automotive systems – Pwn2Own Automotive – at the upcoming Automotive World conference in Tokyo, Japan, held on January 24th – 26th, 2024. Today, we are releasing the targets and payouts for this inaugural event. As a reminder, we have three primary goals in hosting this event:

1.     Provide an avenue to encourage automotive research. We want to offer a place where researchers can submit and be financially rewarded for reports targeting various products and platforms.
2.     Incentivize vendors to participate in the security research community. We want to connect our global community of security researchers with automotive manufacturers to help improve their security and resiliency.
3.     Bring a focus to the sub-components of a vehicle. Rather than looking at the vehicle as a monolithic unit, we want to bring attention to the multiple complex systems that comprise a modern automobile ecosystem.

We’re also excited to announce Tesla will partner with us on this event. They have worked with us extensively for our Pwn2Own Vancouver event, and we rely on their guidance and understanding of the complexities of electric vehicles (EV). We’re also grateful that ChargePoint decided to provide their EV chargers to use during the contest. The researchers from VicOne have also been essential in helping to determine targets and providing technical guidance on EV attack surfaces. We have more than $1,000,000 USD in cash and prizes available, and we can’t wait to see what researchers bring to demonstrate in Tokyo. However, we know not everyone can make it to Automotive World, so we will allow remote participation similar to other events. You will still need to register before the contest deadline (January 18, 2024) and submit your entry, a detailed whitepaper completely explaining your exploit chain and instructions on how to run the entry by the end of the registration period. If you plan on participating remotely, you will need to contact us even earlier the ensure we put you in the best position for success. We recommend two weeks prior to the deadline at the very latest.

As with other Pwn2Own events, we’ll have a random drawing to determine the schedule of attempts prior to the contest, and we will proceed from there. As always, if you have questions, don't hesitate to get in touch with us at [email protected]. We will be happy to address your issues or concerns directly.

Now on to the four categories we’ll have for the first Pwn2Own Automotive contest:

            - Tesla
            - In-Vehicle Infotainment (IVI)
            - Electric Vehicle Chargers
            - Operating Systems

Tesla Category 

We introduced the Automotive Category at Pwn2Own Vancouver in 2019, and Pwn2Own Automotive wouldn’t be complete without something similar. Earlier this year, the team from Synacktiv combined multiple exploits to target a combination of systems. It will be interesting to see what researchers bring to Tokyo. Contestants can register an entry against either a Tesla Model 3/Y (Ryzen-based) or Tesla Model S/X (Ryzen-based) equivalent bench top unit.  Also note that while a Tesla is available as a prize, not every successful attempt will win the vehicle itself. Some of the targets have add-ons available, but to drive away with a Tier 3 prize, a contestant would need to target one of the entries marked “Vehicle Included” in the table below:

Here’s some additional info on the optional add-ons that are included in targets:

Previous exploits in this category have provided highlights of past events, and we’re hopeful we’ll see something similar in Tokyo. If you are going to participate in this category, please notify us at least two weeks before the event so we can source the hardware in time for the contest.  

Back to top

In-Vehicle Infotainment (IVI)

When we started looking at targets within an automotive system, one of the first things we thought of was the first thing we looked at – the In-Vehicle Infotainment (IVI) system. These serve as radios and connect with our phones, but they do so much more as well. Navigation, in-car internet, and Wi-Fi are provided through these devices, but they also server a connection to other vehicle systems through the CAN bus – making them a ripe target for attackers. These devices are also retrofitted to existing vehicles to modern capabilities – and perhaps modern vulnerabilities as well. For our first Pwn2Own Automotive contest, we’ll have three IVI devices to target. An attempt in this category must be launched against the target's exposed services or against the target’s communication protocols/physical interfaces that are accessible to a typical user.

Back to top

Electric Vehicle Chargers Category

There’s been a fair amount of research into the security of EVs, but there hasn’t been as much scrutiny around what we plug into an EV. Attack surfaces such as mobile apps, Bluetooth Low Energy (BLE) connections, and the OCPP protocol could all allow threat actor to cause harm to an EV. For this event, we’ll have six different EV Chargers available as targets. An attempt in this category must be launched against the target's exposed services or against the target’s communication protocols/physical interfaces that are accessible to a typical user.

Back to top

Operating Systems

Most don’t think of operating systems within their car, but if you drive a recent Mercedes, Subaru, Mazda, or Toyota, there’s a good chance you’re also driving something with Automotive Grade Linux installed. How do these onboard OSes compare to their desktop counterparts? That’s what we aim to discover. An attempt in this category must be launched against the target's exposed services/features or launched against the target’s communication protocols that are accessible to a typical user.

Back to top

Master of Pwn

No Pwn2Own contest would be complete without crowning a Master of Pwn, which signifies the overall winner of the competition. Earning the title results in a slick trophy, a different sort of wearable, and brings with it an additional 65,000 ZDI reward points (instant Platinum status in 2025).

For those not familiar with how it works, points are accumulated for each successful attempt. While only the first demonstration in a category wins the full cash award, each successful entry claims the full number of Master of Pwn points. Since the order of attempts is determined by a random draw, those who receive later slots can still claim the Master of Pwn title – even if they earn a lower cash payout. As with previous contests, there are penalties for withdrawing from an attempt once you register for it. If the contestant decides to remove an Add-on Bonus during their attempt, the Master of Pwn points for that Add-on Bonus will be deducted from the final point total for that attempt.

The Complete Details

The full set of rules for Pwn2Own Automotive 2024 can be found here. They may be changed at any time without notice. We highly encourage potential entrants to read the rules thoroughly and completely should they choose to participate. We also encourage contestants to read this blog covering what to expect when participating in Pwn2Own.

Registration is required to ensure we have sufficient resources on hand at the event. Please contact ZDI at [email protected] to begin the registration process. (Email only, please; queries via social media, blog post, or other means will not be acknowledged or answered.) If we receive more than one registration for any category, we’ll hold a random drawing to determine the contest order. Registration closes at 5:00 p.m. Japanese Standard Time on January 18, 2024.

The Results

We’ll be blogging and tweeting results in real-time throughout the competition. Be sure to keep an eye on the blog for the latest information. Follow us on Twitter at @thezdi and @trendmicro, and keep an eye on the #P2OAuto hashtag for continuing coverage.

We look forward to seeing everyone in Tokyo and online, and we look forward to seeing what new exploits and attack techniques they bring with them.

With special thanks to our Pwn2Own Automotive 2024 partners, Tesla, for providing their assistance and technology and to ChargePoint for providing hardware to use during the event. Thanks also to the researchers from VicOne for their guidance and recommendations.

©2023 Trend Micro Incorporated. All rights reserved. PWN2OWN, ZERO DAY INITIATIVE, ZDI, and Trend Micro are trademarks or registered trademarks of Trend Micro Incorporated. All other trademarks and trade names are the property of their respective owners.

❌
❌