Over 70 zero-day flaws get hackers $1 million at Pwn2Own Eire

The fourth day of Pwn2Own Eire 2024 marked the top of the hacking competitors with greater than $1 million in prizes for over 70 distinctive zero-day vulnerabilities in absolutely patched gadgets.

The hacking contest pits safety researchers in opposition to varied software program and {hardware} merchandise, in an try earn the “Master of Pwn” title by compromising targets in eight classes starting from cell phones, messaging apps, residence automation, and good audio system to printers, surveillance techniques, network-attached storage (NAS), and SOHO Smash-up.

This version of Pwn2Own was the fourth consecutive one the place white-hat hackers handed over the million-dollar prize mark, incomes a complete of $1,066,625.

Over the last day of the competitors, safety researchers efficiently exploited gadgets from Lexmark, True NAS, and QNAP:

• Group Smoking Barrels exploited two vulnerabilities in TrueNAS X. Althoug one of many bugs had been beforehand used within the contest, the group nonetheless earned $20,000 and a couple of Grasp of Pwn factors
• Group Cluck used a series of six vulnerabilities to maneuver from the QNAP QHora-322 to the Lexmark CX331adwe. One of many flaws had already been used however they obtained $23,000 and Grasp of Pwn factors for the profitable exploitation
• Viettel Cyber Security focused TrueNAS Mini X with a two-bug exploit. Their chain additionally relied on a bug beforehand seen within the competitors however their demonstration was rewarded with $20,000 and a couple of Grasp of Pwn factors
• PHP Hooligans / Midnight Blue leveraged an integer overflow vulnerability to use a Lexmark printer, which earned them $10,000 and a couple of Grasp of Pwn factors

Viettel Cyber Security obtained the “Master of Pwn” award for accumulating a complete of 33 Grasp of Pwn factors. They earned $205,000 for the failings demonstrated in QNAP NAS, Sonos audio system, and Lexmark printers.

The subsequent Pwn2Own occasion is scheduled for January 22, 2025, and can occur in Tokyo, Japan.

The occasion focuses on the automotive trade and has 4 classes for individuals: Tesla, In-Car Infotainment (IVI), Electrical Car Chargers, and Working Techniques.

Zero Day Initiative (ZDI) has revealed particulars in regards to the classes and the cash prizes for profitable exploitation. The principles of the competitors can be found right here.