Hackers earn $990k for 63 zero-days exploited at Pwn2Own Toronto (opens in new tab)

(bleepingcomputer.com)

95 pointsBlue1113y ago31 comments

31 comments

25 comments · 10 top-level

ackbar033y ago· 5 in thread

I remember reading somewhere that hardcore foreign teams stopped going to pwn2own once they realized that they were

1) effectively disclosing valuable zero days in a dark room 2) to the tagert manufacturer 3) and the pwn2own organizer who happens to be indirectly sponsored by the NSA

In exchange for what is pretty much just kudos and pocket change

ehhthing3y ago

I'm active in the CTF crowd, and I think the general feeling is that you only want to burn your lower tier exploits at pwn2own. Usually these will be the exploits for things that are harder to sell to an exploit broker. You probably won't see many top tier vulnerabilities at pwn2own.

Zerodium is definitely a bit too well known to have actual market pricing for vulnerabilities, but their tier graphic is pretty accurate (https://zerodium.com/program.html). Notice how most of the things hacked at pwn2own are at the bottom of this graphic.

Selling to a exploit broker is pretty much always more profitable for higher tier exploits, and usually if you're in this industry and want to make bank you'll just work for a company like dfsec where you get bonuses for finding these kinds of exploits anyway.

sureglymop3y ago

That looks tempting but what happens after? Can you sell your exploit and then submit a patch for it? Is an exploit intellectual property?

1 more reply

Thorrez3y ago

What do they do with the vulnerabilities instead of going to pwn2own? If they report vulnerabilities to the manufacturer directly, how does the pay compare to the pay from pwn2own?

_kbh_3y ago

They likely sell them instead, and make a lot more money than they would have at pwn2own.

1 more reply

Blue111OP3y ago

Going to pwn2own is probably a good way to make sure the NSA closely follows you...

bmitc3y ago· 5 in thread

Interesting that they didn't mention in the summary that exploits were found for both a Samsung Galaxy and a Tesla head unit.

What type of knowledge do these people have? Networking? File systems? Linux kernels? How do they get started?

DanMcInerney3y ago

I'm a professional hacker. Almost all my colleagues got started by asking a simple security question like, "How do I spy on what people are browsing on my home wifi?" Then googling the current tools for it. The next step is writing either a Python script to automate the process or contribute the GitHub of the tool you used to improve it. Less than 10% of my general colleagues (and even lower % for the best colleagues) actually go to school for security. Similar to any other IT work, like getting printers connected to a network or deploying an Active Directory domain across your company. Google it then use the tools and tutorials afforded to you. Basic networking/linux/windows/programming knowledge is usually the prerequisite, but the keyword there is, "basic".

fruit20203y ago

So how do you spy on people on your home wifi. If I run a reverse proxy on my computer and then make the router use it, will chrome detect that it goes through a mitm?

1 more reply

heavenlyblue3y ago

Do you actively write and research new exploits?

ipaddr3y ago

Find out where they hang out and start picking up 'how' they work

mosselman3y ago

There must be more efficient ways to learn how to hack than hanging out at the local Starbucks waiting for the hackers to come rolling in to do some latte hacking.

rdtwo3y ago· 2 in thread

Seems like us probably 1/100 of what they could have earned on the market

tsujamin3y ago

It’s probably a lot less time consuming and risky than “going to market”. Reminds me of a panel at DEFCON this year that dealt with the fact this stuff is increasingly covered under export restrictions and a lot of the ecosystem is trust based.

Some probably don’t have connections they trust to sell to, and buyers mightn’t trust the sellers to not re-sell their exploits

ddevault3y ago

"The market" is highly unethical and anyone who sells exploits there is undoubtedly a black hat.

thefourthchime3y ago· 2 in thread

Not exactly related, but in my opinion, the quality of software has decreased in recent years. This is not unexpected.

samuria3y ago

It's not the quality, it's the quantity. We are living in a new age where everything is software driven, so naturally there will be more 0-days.

robocat3y ago

https://www.cvedetails.com/product/32238/Microsoft-Windows-1...

There has been an increase from ~50 code execution bugs per year (2016—18) to more than 100 per year (2019—2022) in Windows 10, which makes us think that software has got worse.

Presumably the vast majority of the vulnerabilities in Windows 10 have been in Windows 10 from its release date.

So it is reasonable to assume that we detect more bugs, not that the actual number increased.

I still notice a raft of bugs in iPadOS, including egregious UI errors in new features like multitasking, but the quality of iPadOS is generally improving (anecdotally).

1 more reply

ec1096853y ago· 1 in thread

Firecracker shows how low overhead VM’s can be. It feels like more of systems should have a harder boundaries, limiting impact of exploits.

pjmlp3y ago

Welcome to Windows secure kernel.

https://www.microsoft.com/en-us/security/blog/2020/07/08/int...

romellem3y ago

Money well spent, just think of the damage these could do if unpatched. These types of events are a great investment for the companies.

1B05H1N3y ago

Glad they found those vulns but I imagine one could fetch a lot more on less legitimate markets.

barbarbar3y ago

Is this hacking of a phone they have in their hands and connect it to a computer with a wire?

MichaelZuo3y ago

It seems like the name is bit of a misnomer though. Perhaps Pwn2Sell?

deafpolygon3y ago

Ok, ok, we get it. The Samsung Galaxy is an insecure phone.

j / k navigate · click thread line to collapse

31 comments

25 comments · 10 top-level

ackbar033y ago· 5 in thread

I remember reading somewhere that hardcore foreign teams stopped going to pwn2own once they realized that they were

1) effectively disclosing valuable zero days in a dark room 2) to the tagert manufacturer 3) and the pwn2own organizer who happens to be indirectly sponsored by the NSA

In exchange for what is pretty much just kudos and pocket change

ehhthing3y ago

sureglymop3y ago

That looks tempting but what happens after? Can you sell your exploit and then submit a patch for it? Is an exploit intellectual property?

1 more reply

Thorrez3y ago

What do they do with the vulnerabilities instead of going to pwn2own? If they report vulnerabilities to the manufacturer directly, how does the pay compare to the pay from pwn2own?

_kbh_3y ago

They likely sell them instead, and make a lot more money than they would have at pwn2own.

1 more reply

Blue111OP3y ago

Going to pwn2own is probably a good way to make sure the NSA closely follows you...

bmitc3y ago· 5 in thread

Interesting that they didn't mention in the summary that exploits were found for both a Samsung Galaxy and a Tesla head unit.

What type of knowledge do these people have? Networking? File systems? Linux kernels? How do they get started?

DanMcInerney3y ago

fruit20203y ago

So how do you spy on people on your home wifi. If I run a reverse proxy on my computer and then make the router use it, will chrome detect that it goes through a mitm?

1 more reply

heavenlyblue3y ago

Do you actively write and research new exploits?

ipaddr3y ago

Find out where they hang out and start picking up 'how' they work

mosselman3y ago

There must be more efficient ways to learn how to hack than hanging out at the local Starbucks waiting for the hackers to come rolling in to do some latte hacking.

rdtwo3y ago· 2 in thread

Seems like us probably 1/100 of what they could have earned on the market

tsujamin3y ago

Some probably don’t have connections they trust to sell to, and buyers mightn’t trust the sellers to not re-sell their exploits

ddevault3y ago

"The market" is highly unethical and anyone who sells exploits there is undoubtedly a black hat.

thefourthchime3y ago· 2 in thread

Not exactly related, but in my opinion, the quality of software has decreased in recent years. This is not unexpected.

samuria3y ago

It's not the quality, it's the quantity. We are living in a new age where everything is software driven, so naturally there will be more 0-days.

robocat3y ago

https://www.cvedetails.com/product/32238/Microsoft-Windows-1...

There has been an increase from ~50 code execution bugs per year (2016—18) to more than 100 per year (2019—2022) in Windows 10, which makes us think that software has got worse.

Presumably the vast majority of the vulnerabilities in Windows 10 have been in Windows 10 from its release date.

So it is reasonable to assume that we detect more bugs, not that the actual number increased.

I still notice a raft of bugs in iPadOS, including egregious UI errors in new features like multitasking, but the quality of iPadOS is generally improving (anecdotally).

1 more reply

ec1096853y ago· 1 in thread

Firecracker shows how low overhead VM’s can be. It feels like more of systems should have a harder boundaries, limiting impact of exploits.

pjmlp3y ago

Welcome to Windows secure kernel.

https://www.microsoft.com/en-us/security/blog/2020/07/08/int...

romellem3y ago

Money well spent, just think of the damage these could do if unpatched. These types of events are a great investment for the companies.

1B05H1N3y ago

Glad they found those vulns but I imagine one could fetch a lot more on less legitimate markets.

barbarbar3y ago

Is this hacking of a phone they have in their hands and connect it to a computer with a wire?

MichaelZuo3y ago

It seems like the name is bit of a misnomer though. Perhaps Pwn2Sell?

deafpolygon3y ago

Ok, ok, we get it. The Samsung Galaxy is an insecure phone.

j / k navigate · click thread line to collapse