Contestants at the Pwn2Own Tokyo 2019 took down an impressive number of high-profile products during the competition’s first two days, including a Sony smartTV, Netgear router and an Amazon Echo Show 5.
The two-day event paid contestants a total of $315,000 with Team Fluoroacetate, Amat Cama and Richard Zhu, being named Masters of PWN.
Day One, November 6, saw more than $195,000 awarded for 12 bugs that were found. Overall, those participants had nine successful attempts against seven targets in five categories, several of which were new for 2019.
The first day was dominated by the eventual event winners Team Fluoroacetate. Team members took on and dominated two SmartTVs, a home assistant, and a Xiaomi Mi9 and Samsung Galaxy S10 smartphones. This was the first hack of a television in Pwn2Own history. T
The duo was quickly able to get a bind shell due to a JavaScript out-of-bounds (OOB) Read in the embedded web browser earning themselves $15,000. They also attacked a Samsung Q60 TV, failing on their first attempt failed, but then used an integer overflow in JavaScript to get a reverse shell from the television. The successful demonstration earned the team another $20,000 and 2 Master of Pwn points.
Fluoroacetate scored again in the new home automation category and went after an Amazon Echo Show 5 using an integer overflow in JavaScript to compromise the device and take control. This exploit earned them $60,000 and 6 Master of Pwn points.
Team F- Secure Labs, Mark Barnes, Toby Drew, Max Van Amerongen, and James Loureiro, also went up against the Xiaomi Mi9 handset in the Web Browser category where it had partial success using a couple of chained logic bugs.
Their final target was a Samsung Galaxy S10 going in through the NFC component. They used a bug in JavaScript JIT followed by a Use After Free (UAF) to escape the sandbox and grab a picture off the phone earning $30,000.
Newcomers to the field Team Flashback, Pedro Ribeiro and Radek Domanski, targeted the LAN interface of the NETGEAR Nighthawk Smart Wi-Fi Router (R6700), the router category also being new this year. They successfully used a stack-based buffer overflow to get a shell on the router which was worth $5,000.
Their next target was a TP-Link AC1750 Smart Wi-Fi router. Here they used a total of three different bugs to inject their code on the device.
Fluoroacetate was back in the news again on Day 2 again targeting a Samsung S10, but this time using a rogue base station used a stack overflow to push their file onto the target handset. The successful demonstration earned them $50,000 and 5 Master of Pwn points. They again targeted the S10 employing a an integer overflow along with a UAF for the sandbox escape to exfiltrate a picture off the phone.
The TP-Link AC1750 Smart Wi-Fi router was again in Team Flashback’s sites. This time the exploit chosen used a stack overflow combined with a logic bug to gain code execution on the device. This earned them $20,000 and one more point towards Master of Pwn.
F-Secure Labs also took on the TP-Link AC1750 combining a comment injection bug with some insecure defaults to gain code execution on the device gaining $20,000. And seemingly for fun this team also punished Xiaomi Mi9 using a crafted NFC tag to trigger an XSS bug allowing them to send a photo from that phone to another. Doing so earned the team another $30,000.