Pwn2Own Austin 2021: Synacktiv crowned Masters of Pwn after Sonos One, WD NAS exploits
08 November 2021 at 17:12 UTC
Updated: 08 November 2021 at 17:19 UTC
French team takes home nearly $200k in winnings as event uncovers 61 zero days
Team Synacktiv has claimed the Master of Pwn crown at Pwn2Own Austin 2021 after netting maximum points for a zero-day vulnerability in the Sonos One smart speaker.
Synacktiv, a French offensive security firm, topped the leaderboard at the three-day, hardware-focused hacking event with 20 Master of Pwn points, earning $197,500 in prize money in the process.
Seizing control of the Sonos One via a stack-based buffer overflow flaw accounted for six points and $60,000 of their winnings.
Meanwhile, four points and $40,000 were earned courtesy of a configuration flaw, resulting in code execution, on Western Digital’s (WD) My Cloud Pro Series PR4100, a network-attached storage (NAS) device.
Total payouts exceeded $1 million for the second Pwn2Own in a row, and contestants collectively discovered 61 unique zero-days (previously unknown and unpatched security flaws).
Proceedings took place between November 2-4 at the headquarters of event organizer, the Zero Day Initiative (ZDI).
Trailing Synacktiv in second place by just two points were joint winners of the flagship Spring event DEVCORE, who earned 18 points and $180,000 in total.
Together with his fellow DEVCORE members, Orange Tsai – who memorably uncovered “a whole new attack surface” on Microsoft Exchange Server last year – also claimed maximum points for compromising Sonos One, along with four points and $40,000 after combining out-of-bounds read and out-of-bounds write flaws to hack Western Digital’s 3TB My Cloud Home Personal Cloud, a NAS device.
STARLabs, which finished third overall, chained out-of-bounds read with heap-based buffer overflow bugs on the beta version of the same device, earning five points and $45,000.
Fourth on the final standings, Sam Thomas from UK infosec firm Pentest Ltd earned $40,000 and four points after chaining three bugs to get code execution on WD’s PR4100.
Asked to name his favorite exploit, ZDI communications manager Dustin Childs tells The Daily Swig: “It’s hard to beat an exploit that turns a printer into a jukebox and plays AC/DC. However, the exploit used against the beta version of the 3TB My Cloud Home Personal Cloud was really impressive, too.
“That’s one to definitely watch for when the fix becomes available.”
The 2021 edition included a consumer printer category for the first time in the wake of the pandemic-driven shift to home working, as well as the emergence of a noteworthy vulnerability in Microsoft’s Windows Print Spooler over the summer.
Record entry numbers
Vendors now have 120 days to remediate vulnerabilities discovered during the event before contestants are permitted to disclose technical details.
The Texas-based Pwn2Own edition featured a record 58 exploit attempts – around twice as many as the previous high – made by 22 teams or individual competitors against 22 devices, which also included TVs, routers, and home automation devices.
Streaming via YouTube and Twitch since Covid-19 forced the organizers to offer remote participation “has helped engagement tremendously”, says Childs. “The goal is to make attending and participating in Pwn2Own open to anyone interested, regardless of where they are located.”
Reaching $1,081,250, total prize money was slightly down on the $1,210,000 total winnings at the flagship, software-focused Pwn2Own event in April.