Pwn2Own paid out almost $1 million to bug hunters at last week’s consumer product hacking event in Toronto, but the prize money wasn’t big enough attract attempts at cracking the iPhone or Google Pixel because miscreants can score far more from less wholesome sources.
“We were offering our top award for those,” said Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative (ZDI).
The contest planned to give away $250,000 for a successful iPhone or Google Pixel exploit, he told The Register, in an exclusive interview at the end of the four-day event. “And that’s just simply not enough zeros for the level of research that it takes to get those phones.” Childs said.
“We talk to people across different sectors as far as the bug economy goes, and some of the things that we’ve heard is to get a zero-click iPhone exploit, the price can go up to $15 million.”
Meanwhile, four teams did attempt Samsung Galaxy exploits, and three were successful, winning $50,000 as the top prize for hacking the Korean giant’s flagship smartphones. Those, too, could sell for a lot more on the criminal marketplaces. “That’s probably at least $2 million to $3 million right there,” Childs said.
The Register does not suggest security researchers should sell zero-days for millions of dollars instead of disclosing them to vendors that, hopefully, will fix the holes and use this information to make their products more secure. But the fact that there’s a ton of money to be made, albeit illegally, from finding, exploiting, and selling vulnerability info to shady sorts online can’t be ignored.
“Absolutely, it’s a temptation when you’re dealing with that much money,” Childs said. “Especially in some places where it’s legal, for example, selling to an exploit broker or somebody’s going to resell it. But the flip side of that is: once you go down that route, it’s very hard to get out of it.”
ZDI has hosted the vendor-agnostic bug hunting event for 14 years, and it became part of Trend Micro when that security vendor acquired the bug-hunting biz in 2015. There’s now three separate Pwn2Pwn events each year with a focus on different classes of products: consumer, enterprise and industrial control systems.
Last year, Pwn2Own was responsible for almost 64 percent of all vulnerabilities disclosed, according to Omdia’s research [PDF].
This most recent event in Toronto was the largest-ever with 26 contestants submitting 66 entries over the four-day event that paid out $989,750 for successful exploits across mobile phones, smart speakers, routers, printers, and network-attached storage devices.
During the event, each team has three attempts on stage to demonstrate a zero-day exploit. Assuming they are successful, they are quickly whisked away to a backroom to tell ZDI how they did it.
Then the vendor is brought in so the researchers can disclose the bug, and at that point the clock starts ticking down for the manufacturer to fix the issue. Pwn2Own has a 90-day disclosure policy, and during that time “we expect them to either produce a patch or we disclose more information about it on our website. The bugs absolutely do not stay hidden,” Childs said.
At this point in the contest’s history, most vendors want to hear the details about how the researchers found the flaws. Childs said they tend to follow a similar line of questioning: how did you find the bugs? How did you research them? What was your thought process? “And they all said, ‘we need to do that, too.'”
The Samsung Galaxy exploits were among this event’s highlights, including one on day three of the contest during which Pentest Limited successfully executed an improper input validation attack in just 55 seconds. The phone maker was onsite in Toronto attending debriefs with the successful contestants.
“Samsung was certainly grateful that we were giving them the bugs in a coordinated disclosure manner — that we’re not going public with it, that we’re not releasing any exploits in the wild, that they are getting a chance to fix it before their customers suffer any damage from these vulnerabilities,” Childs said.
“Obviously they are not thrilled to be in the room,” he added. “There was one unsuccessful entry, and they were probably happier with that disclosure than the other four. But at the same time they understand the importance of the event. We are handing [the exploits] over to them for free, and they are appreciative of that.”
Another highlight of the Toronto contest was the SOHO Smashup category, which required contestants to compromise the WAN interface to take over a home router, and then pivot to an internal device such as a smart speaker or a printer.
This type of attack is especially relevant in hybrid and work-from-home scenarios, said Trend Micro COO Kevin Simzer. “Maybe the average consumer is not concerned about some of these exploits — although they should be — but I can tell you the commercial customers that we deal with are definitely concerned,” he told The Register.
“We all live in a hybrid-work model now, so these vulnerabilities could work their way onto enterprise corporate networks quite easily.”
Still, the fact remains that all of these contestants can make more money selling these exploits on the black market. So why do they choose 15 minutes (or less) of fame and $10,000 (or more) at Pwn2Own instead?
“Cash is obviously a motivator,” Childs said. “If someone hands you $10,000, it might not change your life, but it certainly changes your day. And in certain parts of the world, it really does change your life.”
Others are in it for the recognition, he added. “We have a lot of people who participate that are young companies, or young researchers who want to show their prowess and show that they’re worth hiring as consultants.”
Still others seem to be genuinely good people who just want to make the world a safer place.
“This is going to sound corny and altruistic, but people tell us they would rather send bugs to us than sell them on the exploit marketplace because they want the bugs fixed,” Childs said. “We really have heard that from researchers: I know I’m getting less money this way. But I’m still getting recognized as the bug is actually getting fixed and not exploited.” ®