Share this article
Latest news
With KB5043178 to Release Preview Channel, Microsoft advises Windows 11 users to plug in when the battery is low
Copilot in Outlook will generate personalized themes for you to customize the app
Microsoft will raise the price of its 365 Suite to include AI capabilities
Death Stranding Director’s Cut is now Xbox X|S at a huge discount
Outlook will let users create custom account icons so they can tell their accounts apart easier
Researchers hacked the Tesla ECU during the Pwn2Own competition
Pwn2Own and Tesla offered a car and $200.000 to Synacktiv
3 min. read
Published onMarch 22, 2024
published onMarch 22, 2024
Share this article
Read our disclosure page to find out how can you help Windows Report sustain the editorial teamRead more
Pwn2Own is an annual hacking competition held at the CanSecWest security conference. The event is similar to a capture-the-flag game for security researchers. If successful, the organizers reward them with the devices and software they exploited and cash prizes. Also, to ensure the safety of the competition, participants have to share their methods in detail.
This year, during the Pwn2Own competition, various products from companies like Microsoft, Oracle, and Tesla got hacked by researchers.
How does the Pwn2Own competition work?
The organizers of the Pwn2Own competition collaborate with tech companies to announce the software and devices that will be present at the competition. For example, some companies that joined this year are Windows 11, Tesla, and Ubuntu Linux. Additionally, they could bring a special version of the product for the event.
The participants of the Pwn2Own competition must prepare exploits to take advantage of the security vulnerabilities they find in software, hardware, or firmware. Also, know that they are zero-day attacks. So, the vulnerabilities are not publicly disclosed and aren’t patched. After all, who would need a competition of hacking if anyone would know about the system’s vulnerability and how to exploit it beforehand?
The stars of the show
Abdul Aziz Hariri was the first contestant of the Pwn2Own competition who swiped a $50,000 prize for gaining code execution on a MacOS. To do this, he exploited a fault in Adobe Reader with the help of an API restriction bypass and a command injection bug. His method could give him complete control of a MacOS by using Adobe Reader.
The Synacktiv team targeted a Tesla Model 3’s Electronic Control Unit. They exploited its system using Integer Overflow and Vehicle (VEH) CAN BUS Control. The first one allowed them to overflow the Tesla ECU system with a specific value. By using this trick, they gained control over the CAN BUS. Afterward, they gained access to the car’s functions. Ultimately, they got a Tesla Model 3 and $200,000. Also, last year, the team won $1,035,000 and a Tesla car for discovering 27 zero-day exploits at the Pwn2Own competition.
The security researchers from Theori, Gwangun Jung, and Junoh Lee targeted theVMwareWorkstation and earned $130,000. By doing this, they gained SYSTEM-level access to the host Windows OS. In addition, they exploited various vulnerabilities by chain-targeting an uninitialized variable bug, a UAF weakness, and a heap-based buffer overflow.
In a nutshell, the Pwn2Own competition facilitates the discovery of zero-day vulnerabilities. Also, through it, companies can learn how to patch the exploits, especially since the researchers need to provide detailed information about their ways. However, we need to wait 90 days until Trend Micro’s Zero Day Initiative discloses the vulnerabilities used.
If you want to learn more about the contestants or companies in this competition, check outBleepingComputer’s article. Below, you can find the leaderboard.
That brings a close to the first day of#Pwn2OwnVancouver 2024. We awarded $732,500 for 19 unique 0-days.@Synacktivcurrently leads in the hunt for Master of Pwn, but@_manfpis right behind them. Here are the full standings:pic.twitter.com/GbtDzbCFgO
What are your thoughts? Are you looking forward to seeing the Zero Day exploits used? Let us know in the comments.
More about the topics:microsoft,Oracle
Sebastian Filipoiu
Sebastian is a content writer with a desire to learn everything new about AI and gaming. So, he spends his time writing prompts on various LLMs to understand them better. Additionally, Sebastian has experience fixing performance-related problems in video games and knows his way around Windows. Also, he is interested in anything related to quantum technology and becomes a research freak when he wants to learn more.
User forum
0 messages
Sort by:LatestOldestMost Votes
Comment*
Name*
Email*
Commenting as.Not you?
Save information for future comments
Comment
Δ
Sebastian Filipoiu
Sebastian is a content writer with a desire to learn everything new about AI and gaming.
