Sonos, HP, and Canon Devices Hacked at Pwn2Own Austin 2021
Image: Zero Day Initiative/BleepingComputer
During the first day of Pwn2Own Austin 2021, contestants won $362,500 after exploiting previously unknown security flaws to hack printers, routers, NAS devices, and speakers from Canon, HP, Western Digital, Cisco, Sonos, TP-Link, and NETGEAR.
At Pwn2Own Austin (previously known as Pwn2Own Mobile), security researchers will target mobile phones, printers, routers, network-attached storage, smart speakers, televisions, external storage, and other devices, all up to date and in their default configuration.
The only exception is Western Digital’s 3TB My Cloud Home Personal Cloud NAS device, as it still runs a beta software release.
Researchers can win the highest rewards in the mobile phone category, where they can get cash prizes of up to $150,000, with a $50,000 bonus if their iPhone or Pixel browser exploits execute with kernel-level privilege, bringing the maximum award for a single challenge to a total of $200,000.
Pwn2Own Austin’s consumer-focused event was extended to four days after 22 different contestants registered for 58 total entries. The complete schedule contest can be found here.
The DEVCORE and THEORI teams were the ones who earned the highest rewards during the first day of Pwn2Own in Austin.
DEVCORE’s Orange Tsai (@orange_8361), Angelboy (@scwuaptx), and Meh Chang (@mehqq_) won a total of $100,000 after taking over the Sonos One Speaker and the Canon ImageCLASS MF644Cdw and HP Color LaserJet Pro MFP M283fdw printers.
The THEORI Team (@theori_io) earned another $80,000 after hacking Western Digital’s My Cloud Pro Series PR4100 and 3TB My Cloud Home Personal Cloud NAS devices.
Samsung Galaxy S21 was the only device that escaped unscathed after Ken Gannon (@yogehi) of F-Secure Labs couldn’t get his exploit to work within the allotted time.
The full schedule for Pwn2Own Austin 2021’s first day and the results following each challenge are listed here.
Over $1 million won at Pwn2Own Vancouver 2021
This year’s previous Pwn2Own contest took place in Vancouver, and it ended on April 9, 2021, with contestants earning a record $1,210,000 for exploits and exploits chains targeting products in the web browsers, virtualization, servers, local escalation of privilege, and enterprise communications categories over three days.
The total prize pool for the competition was over $1,500,000 in cash and included a Tesla Model 3 left unclaimed after no team signed up to hack the Tesla car this year.
Pwn2Own Vancouver 2021 ended with a tie between Team DEVCORE, OV, and Computest’s Daan Keuper and Thijs Alkemade, each of them earning $200,000.
Team Fluoroacetate won the first Tesla Model 3 at Pwn2Own after hacking its Chromium-based infotainment system during the 2019 competition.
They also earned $375,000 after successfully demoing exploits and exploit chains targeting Apple Safari, Oracle VirtualBox, VMware Workstation, Mozilla Firefox, and Microsoft Edge.