Fri. Jan 24th, 2020

In the Pwn2Own hacking contest in Tokyo, Amazon/Sony/Xiaomi/Samsung were successfully broken.

2 min read

In the Pwn2Own hacking contest held in Tokyo, Japan, the white hat hacking team, codenamed Fluoroacetate, has continuously attacked various equipment of many manufacturers. The purpose of the hacking contest is to demonstrate vulnerabilities in widely used devices and software, and the vulnerabilities found in the game will be forwarded to the organizer. The event organizer will transfer the vulnerability to the relevant manufacturer to allow the manufacturer to fix the vulnerability, thereby improving the overall security of the device or software.

The Fluoroacetate team consisting of Richard Zhu and Amat Cama first discover the vulnerability of the Sony X800G Smart TV to gain complete control of the device. Using this vulnerability, the Fluoroacetate team received a $15,000 bonus and two PWN points, the next target being the Amazon Echo Show 5. The Fluoroacetate team successfully exploited the device’s JavaScript integer overflow vulnerability to break the device for $60,000 and six PWN points.

Finally, the team also used undisclosed vulnerabilities to break through the Samsung Q60 smart TV ($15K, 2 points), Xiaomi Mi9 smartphone ($20K, 2 points), and Samsung Galaxy S10 ($30K, 3 points). On the first day of the hacking contest, the Fluoroacetate team received up to $145,000 in rewards and 15 PWN points, which is far ahead of other teams.

After the end of the hacking contest, there was no surprise that the Fluoroacetate team continued to win the championship. This is the third consecutive year that the team has won the PWN master in the hacking contest.

The Fluoroacetate team received a total of $195,000 in rewards and 18.5 points. After the contest, the organizers presented the trophy to recognize the team’s contribution. On the other team side, new participant Flashback received a $50,000 reward, and the team of security company F-Secure Labs received a $70,000 award. In all the test equipment, the researchers found a total of 18 security vulnerabilities, and the event organizers provided a total of $315,000 in rewards for these vulnerabilities.

After the event, the related vulnerabilities have been transferred to the on-site manufacturer response personnel who have 90 days to issue a patch fix.

Via: androidpolice