Elite Hackers Made Almost $1 Million Last Week, Here’s How – Forbes

The bi-annual Pwn2Own elite hacking event held in Toronto has come to an end after four days in which 63 zero-day vulnerabilities were successfully exploited. Some 26 hacking teams and individual hackers took part in the event, operated by Trend Micro’s Zero-Day Initiative (ZDI). The challenge looks simple enough: exploit a previously unknown vulnerability against one of the devices entered into the competition. However, exploiting such a zero-day against the clock is anything but, as evidenced by many failures across the four days of competitive hacking.
As already reported, Samsung was among the first big names to fall on day one of Pwn2Own Toronto 2022. The Samsung Galaxy S22 was successfully hacked not once, but twice. The same model smartphone, running the latest Android OS and with all security patches in place, was also hacked again on days two and three. Samsung told Forbes that it is working on releasing a security patch this month.
Across the four days of Pwn2Own Toronto 2022, printers from the likes of Canon, HP, and Lexmark, fell time and time again to the zero-day attacks from various hacking teams. But it wasn’t just smartphones and printers that were being targeted, network-attached storage devices from Western Digital, and routers from Netgear, Synology, and TP-Link. The Sonos One smart speaker was also hacked.
None of the zero-days are sold or redistributed by ZDI, instead, the exploited device vendors are quickly given the details required in order for them to release a patch to fix the issue before full technical information is made public or can be exploited by malicious threat actors. In all, some 63 zero-days were acquired by ZDI during the course of Pwn2Own Toronto 2022 at a cost of very nearly one million dollars. The total award purse for the event ended up being $989,750.
This is yet another great example of why hacking is not a crime. Not all hackers are criminals, those who partake in criminal activity are, and some may employ hacking as part of this criminality. It’s important, however, to appreciate the distinction. If it were not for the 26 elite hackers and teams participating in Pwn2Own Toronto 2022, there could be 63 vulnerabilities out there, unknown to the vendors and users of the products concerned, potentially in the hands of criminals. ZDI passes over details of the zero-days that it purchases during the event to the vendors in as short a time as possible. It then withholds the technical information about the vulnerabilities and their exploitation for 120 days so as to give the vendors every opportunity to issue security patches before threat actors can attempt to use them.
The final results of Pwn2Own Toronto 2022, this was a competition, after all, and so placings are important, were as follows:
The final leaderboard of Pwqn2Own Toronto 2022
In first place and taking the Master of Pwn title was the Devcore team, who took $142,500 in bounty payments and earned 18.5 points. Team Viettel came second with 16.5 points ($82,500), and NCC Group EDG was third with 15.5 points ($78,750). The full results, including detailed daily successes and failures, can be found in the ZDI Pwn2Own Toronto 2022 blog.


Leave a Comment