Over 70 zero-day flaws get hackers $1 million at Pwn2Own Ireland
The fourth day of Pwn2Own Ireland 2024 marked the end of the hacking competition with more than $1 million in prizes for over 70 unique zero-day vulnerabilities in fully patched devices.
The hacking contest pits security researchers against various software and hardware products, in an attempt earn the "Master of Pwn" title by compromising targets in eight categories ranging from mobile phones, messaging apps, home automation, and smart speakers to printers, surveillance systems, network-attached storage (NAS), and SOHO Smash-up.
This edition of Pwn2Own was the fourth consecutive one where white-hat hackers passed over the million-dollar prize mark, earning a total of $1,066,625.
During the last day of the competition, security researchers successfully exploited devices from Lexmark, True NAS, and QNAP:
- Team Smoking Barrels exploited two vulnerabilities in TrueNAS X. Althoug one of the bugs had been previously used in the contest, the team still earned $20,000 and 2 Master of Pwn points
- Team Cluck used a chain of six vulnerabilities to move from the QNAP QHora-322 to the Lexmark CX331adwe. One of the flaws had already been used but they received $23,000 and Master of Pwn points for the successful exploitation
- Viettel Cyber Security targeted TrueNAS Mini X with a two-bug exploit. Their chain also relied on a bug previously seen in the competition but their demonstration was rewarded with $20,000 and 2 Master of Pwn points
- PHP Hooligans / Midnight Blue leveraged an integer overflow vulnerability to exploit a Lexmark printer, which earned them $10,000 and 2 Master of Pwn points
Viettel Cyber Security received the "Master of Pwn" award for collecting a total of 33 Master of Pwn points. They earned $205,000 for the flaws demonstrated in QNAP NAS, Sonos speakers, and Lexmark printers.
The next Pwn2Own event is scheduled for January 22, 2025, and will happen in Tokyo, Japan.
The event focuses on the automotive industry and has four categories for participants: Tesla, In-Vehicle Infotainment (IVI), Electric Vehicle Chargers, and Operating Systems.
Zero Day Initiative (ZDI) has published details about the categories and the money prizes for successful exploitation. The rules of the competition are available here.
source: BleepingComputer
Free security scan for your website
Top News:
Cloud Atlas Deploys VBCloud Malware: Over 80% of Targets Found in Russia
December 27, 2024CISA orders federal agencies to secure Microsoft 365 tenants
December 18, 2024Recorded Future CEO applauds "undesirable" designation by Russia
December 19, 2024Five lesser known Task Manager features in Windows 11
December 25, 2024DDoS Attacks Surge as Africa Expands Its Digital Footprint
December 26, 2024