The Pwn2Own Toronto 2023 hacking contest kicked off yesterday and individuals efficiently hacked NAS, printers, cell phones, and different kinds of units, incomes a complete of greater than $400,000 on the primary day.
The best reward of the day went to staff Orca of Sea Safety, which executed a two-vulnerability exploit chain (out-of-bounds learn and use-after-free) in opposition to the Sonos Period 100 speaker, incomes $60,000.
The Pentest Restricted staff earned the second highest reward of the day, at $50,000, for an improper enter validation exploit concentrating on the Samsung Galaxy S23 cell phone.
The staff additionally earned a $40,000 reward for a two-bug exploit chain (denial-of-service and server-side request forgery) resulting in the compromise of Western Digital’s My Cloud Professional Collection PR4100 network-attached storage (NAS) product.
Two different $40,000 rewards had been earned for exploits concentrating on the Xiaomi 13 Professional cell phone (staff Viettel – single-bug exploit) and the QNAP TS-464 NAS gadget (staff ECQ – a three-bug exploit chain involving a server-side request forgery and two injection flaws).
Vulnerabilities within the Synology BC500 IP digital camera had been additionally exploited on the primary day of the competition, with hackers incomes roughly $50,000 for the exploits.
Further exploits concentrating on the Xiaomi 13 Professional and the Samsung Galaxy S23 had been demonstrated as nicely and earned the hacking groups greater than $40,000 in rewards.
The taking part groups and particular person hackers additionally pwned the Canon imageCLASS MF753Cdw and the Lexmark CX331adwe printers, incomes greater than $60,000 for his or her exploits.
In response to ZDI, not all of the exploits demonstrated on the primary day of Pwn2Own Toronto 2023 had been new, however individuals nonetheless earned lower-tier rewards for his or her efforts.
The hacking competitors will proceed till Friday, with exploits to be demonstrated within the NAS units, good audio system, printers, cell phones, and surveillance programs classes.
Lacking from the competition are good automobiles, which might be current at Pwn2Own Automotive, set to be hosted on the Automotive World convention, in January 2024, in Tokyo, Japan. It will likely be the primary Pwn2Own competitors devoted to automotive.
