Security researchers from around the globe gathered for the Pwn2Own Ireland 2024 competition, unveiling over 70 zero-day vulnerabilities across various consumer devices, including the Samsung Galaxy S24 and popular network storage systems (NAS). Organized by Trend Micro’s Zero Day Initiative (ZDI), this year’s event rewarded participants with more than $1 million in total bounties, highlighting pressing security risks in connected devices.
Pwn2Own: From Small Hackathons to Major Cybersecurity Event
Since 2007, when it was first held at the CanSecWest security conference in Vancouver, Pwn2Own has evolved from a niche contest into a key cybersecurity event. Founded by security researcher Dragos Ruiu, the competition started as a challenge to hack laptops, with the premise that anyone who could “pwn” a device would get to “own” it.
Today, Pwn2Own targets a diverse range of devices and software, from mobile phones and NAS to home IoT products. The contest not only exposes vulnerabilities but also fosters collaboration between security experts and tech companies, encouraging responsible bug reporting and the adoption of bug bounty programs industry-wide.
Day One: High Payouts and Fast-Paced Exploits
On the opening day, researchers received nearly $516,000 in awards for hacking into various connected devices, including home IoT equipment and networked printers. The Viettel Cyber Security team took an early lead, amassing 13 points with several successful hacks.
That’s a wrap on Day 1 of #Pwn2Own Ireland! We awarded $486,250 for 52 unique 0-days. Viettel Cyber Security (@vcslab) has an early lead for Master of Pwn with 13 points, but there’s lots of contest to go. Stay tuned for all of the latest results as Pwn2Own Ireland continues. pic.twitter.com/xQVQhHUCOw
— Zero Day Initiative (@thezdi) October 22, 2024
Among the standout achievements was the Summoning Team’s use of nine distinct bugs to breach a QNAP NAS and a TrueNAS Mini X, which netted them $100,000. Meanwhile, RET2 Systems exploited an “out-of-bounds write” in the Sonos Era 300, a memory error that allows unauthorized data manipulation, adding $60,000 to their winnings.
Major Brands Targeted: Samsung Galaxy and Canon Printers Hacked on Day Two
Day two saw familiar brands like Samsung, Canon, and HP take center stage, with Ken Gannon of NCC Group deploying five different exploits on the Samsung Galaxy S24. His effort led to full shell access and allowed him to install an unauthorized app, earning him $50,000 and solidifying his team’s standing in the competition.
However, not all attempts succeeded; for instance, the DEVCORE Internship Program’s multi-device attack was stopped short, as the team failed to exploit a targeted printer despite gaining router access.
Day Three: NAS, Printers, and IoT Cameras Breached
Momentum continued on the third day with a series of vulnerabilities exposed in NAS devices, printers, and security cameras. Viettel Cyber Security maintained its dominance, using a command injection to compromise the QNAP TS-464 NAS, for which they were awarded $10,000. Other notable entries included Team Smoking Barrels, which broke into Synology’s BeeStation through a flaw in its network channel, earning them an additional $10,000.
That brings Day 3 of #Pwn2Own Ireland to a close. We awarded $118,750 today, bringing the total to $993,625. With four more attempts tomorrow, $1 million is right there for the taking. Viettel Cyber Security (@vcslab) maintains their Master of Pwn lead and looks unstoppable. pic.twitter.com/lP8TU2mRmk
— Zero Day Initiative (@thezdi) October 24, 2024
Throughout the day, “collision” incidents were common, where multiple teams independently exploited the same vulnerability. Viettel Cyber Security, for instance, encountered a collision on a Canon printer vulnerability previously exploited by another team. These repeated discoveries underscored key security gaps and reflected the intense, collaborative spirit of the competition.
Final Day: Payouts Exceed $1 Million as Event Concludes
The fourth and final day brought the event’s total prize pool to over $1 million. Returning to previously breached devices, Team Cluck used a chain of six exploits on QNAP and Lexmark devices, with one overlap from earlier in the competition. This added $23,000 to their total and boosted their standing in the Master of Pwn rankings.
Last Updated on November 7, 2024 2:19 pm CET