Pwn2Own Austin 2021: Synacktiv crowned Masters of Pwn after Sonos One, WD NAS exploits


Get real time updates directly on you device, subscribe now.

Adam Bannister

08 November 2021 at 17:12 UTC

Updated: 08 November 2021 at 17:19 UTC

French team takes home nearly $200k in winnings as event uncovers 61 zero days

Team Synacktiv has claimed the Master of Pwn crown at Pwn2Own Austin 2021 after netting maximum points for a zero-day vulnerability in the Sonos One smart speaker.

Synacktiv, a French offensive security firm, topped the leaderboard at the three-day, hardware-focused hacking event with 20 Master of Pwn points, earning $197,500 in prize money in the process.

RELATED Pwn2Own 2021: Zero-click Zoom exploit among winners as payout record smashed

Seizing control of the Sonos One via a stack-based buffer overflow flaw accounted for six points and $60,000 of their winnings.

Meanwhile, four points and $40,000 were earned courtesy of a configuration flaw, resulting in code execution, on Western Digital’s (WD) My Cloud Pro Series PR4100, a network-attached storage (NAS) device.

Million-dollar event

Total payouts exceeded $1 million for the second Pwn2Own in a row, and contestants collectively discovered 61 unique zero-days (previously unknown and unpatched security flaws).

Proceedings took place between November 2-4 at the headquarters of event organizer, the Zero Day Initiative (ZDI).

Read more of the latest hardware security news and analysis

Trailing Synacktiv in second place by just two points were joint winners of the flagship Spring event DEVCORE, who earned 18 points and $180,000 in total.

Together with his fellow DEVCORE members, Orange Tsai – who memorably uncovered “a whole new attack surface” on Microsoft Exchange Server last year – also claimed maximum points for compromising Sonos One, along with four points and $40,000 after combining out-of-bounds read and out-of-bounds write flaws to hack Western Digital’s 3TB My Cloud Home Personal Cloud, a NAS device.

STARLabs, which finished third overall, chained out-of-bounds read with heap-based buffer overflow bugs on the beta version of the same device, earning five points and $45,000.

Fourth on the final standings, Sam Thomas from UK infosec firm Pentest Ltd earned $40,000 and four points after chaining three bugs to get code execution on WD’s PR4100.


Asked to name his favorite exploit, ZDI communications manager Dustin Childs tells The Daily Swig: “It’s hard to beat an exploit that turns a printer into a jukebox and plays AC/DC. However, the exploit used against the beta version of the 3TB My Cloud Home Personal Cloud was really impressive, too.

“That’s one to definitely watch for when the fix becomes available.”

The 2021 edition included a consumer printer category for the first time in the wake of the pandemic-driven shift to home working, as well as the emergence of a noteworthy vulnerability in Microsoft’s Windows Print Spooler over the summer.

Record entry numbers

Vendors now have 120 days to remediate vulnerabilities discovered during the event before contestants are permitted to disclose technical details.

The Texas-based Pwn2Own edition featured a record 58 exploit attempts – around twice as many as the previous high – made by 22 teams or individual competitors against 22 devices, which also included TVs, routers, and home automation devices.

Streaming via YouTube and Twitch since Covid-19 forced the organizers to offer remote participation “has helped engagement tremendously”, says Childs. “The goal is to make attending and participating in Pwn2Own open to anyone interested, regardless of where they are located.”

Reaching $1,081,250, total prize money was slightly down on the $1,210,000 total winnings at the flagship, software-focused Pwn2Own event in April.

You can find out more about how Pwn2Own Austin 2021 unfolded on ZDI’s YouTube channel and blog.

YOU MIGHT ALSO LIKE Majority of consumer IoT vendors still lack vulnerability disclosure programs – report

Source link

Get real time updates directly on you device, subscribe now.

You might also like
Leave A Reply

Your email address will not be published.