During a competition, participants discovered 18 previously unknown vulnerabilities in Amazon Echo, Xiaomi Mi9, Galaxy S10, etc. A total of $315,000 was earned by the participants of the hacker competition Pwn2Own 2019, held on November 6-7 in Tokyo.
The organizer of Pwn2Own is the Trend Micro Zero Day Initiative (ZDI), and the prize pool amounted to $750 thousand. The largest amount in two days ($195,00) was won by the well-known two-man team Fluoroacetate, consisting of two people – Amat Cama and Richard Zhu. According to the results of two days, Pwn2Own Fluoroacetate became the champion for the third time in a row.
On the first day of the competition, Pwn2Own participants earned $195,000 for exploiting vulnerabilities in smart TVs, routers, and smartphones. For hacking, they were provided with 17 different devices, including a “smart” Portal display and a virtual reality helmet Oculus Quest from Facebook. Both of these devices participated in Pwn2Own for the first time.
Competitors made 10 hacking attempts, and most of them were successful. Fluoroacetate team managed to crack the Sony X800G and Samsung Q60 smart TVs, the Amazon Echo smart speaker and the Xiaomi Mi9 smartphone, as well as steal the image from the Samsung Galaxy S10 via NFC.
The Flashback team hacked the NETGEAR Nighthawk Smart WiFi Router (R6700) and TP-Link AC1750 Smart WiFi Router smart routers. The F-Secure Labs team tried to hack the TP-Link router and the Xiaomi Mi9 smartphone, however, the attempts were only partially successful.
On the second day of the competition, Fluoroacetate participants were able to execute arbitrary code on the Samsung Galaxy S10, for which they received $50,000. The Flashback and F-Secure Labs teams hacked the TP-Link AC1750 router, receiving $20 thousand each. On the second day, F-Secure Labs still managed to hack the Xiaomi Mi9 and earn $30 thousand.