Pwn2Own

Computer hacking contest / From Wikipedia, the free encyclopedia

Dear Wikiwand AI, let's keep it short by simply answering these key questions:

Can you list the top facts and stats about Pwn2own?

Summarize this article for a 10 year old

SHOW ALL QUESTIONS

Pwn2Own is a computer hacking contest held annually at the CanSecWest security conference.[1] First held in April 2007 in Vancouver,[2] the contest is now held twice a year,[3] most recently in March 2023.[4] Contestants are challenged to exploit widely used software[5] and mobile devices with previously unknown vulnerabilities.[6] Winners of the contest receive the device that they exploited and a cash prize.[7] The Pwn2Own contest serves to demonstrate the vulnerability of devices and software in widespread use while also providing a checkpoint on the progress made in security since the previous year.

Quick Facts Date, Time ...
Pwn2Own
DateApril 18–20, 2007 (2007-04-18 2007-04-20)
TimeTwice yearly
Duration2 to 4 days
VenueCanSecWest security conference
LocationVarious
TypeHacking contest
Patron(s)Zero Day Initiative
Organized byCanSecWest Applied Security Conference
AwardsCash prizes
WebsiteCanSecWest Applied Security Conference
Close

History

Origins

The first contest in 2007[1] was conceived and developed by Dragos Ruiu in response to his frustration with Apple Inc.'s lack of response[8] to the Month of Apple Bugs and the Month of Kernel Bugs,[9] as well as Apple's television commercials that trivialized the security built into the competing Windows operating system.[10] At the time, there was a widespread belief that, despite these public displays of vulnerabilities in Apple products, OS X was significantly more secure than any other competitors.[8] On March 20, roughly three weeks before CanSecWest that year, Ruiu announced the Pwn2Own contest to security researchers on the DailyDave mailing list.[1] The contest was to include two MacBook Pros that he would leave on the conference floor hooked up to their own wireless access point. Any conference attendee that could connect to this wireless access point and exploit one of the devices would be able to leave the conference with that laptop. There was no monetary reward.[8] The name "Pwn2Own" was derived from the fact that contestants must "pwn" or hack the device in order to "own" or win it.

On the first day of the conference in Vancouver, British Columbia, Ruiu asked Terri Forslof of the Zero Day Initiative (ZDI) to participate in the contest.[5] ZDI has a program which purchases zero-day attacks, reports them to the affected vendor and turns them into signatures for their own network intrusion detection system, increasing its effectiveness. The vulnerabilities sold to ZDI are made public only after the affected vendor has issued a patch for it.[11] Forslof agreed to have ZDI offer to purchase any vulnerabilities used in the contest for a flat price of $10,000.[5] The first contest subsequently exposed a high-profile QuickTime flaw, which was disclosed to Apple on April 23 and patched in early May.[5] In 2008 the scope of the Pwn2Own contest was expanded.[12] Targets included three laptops running the default installation of Windows Vista, OS X, or Ubuntu Linux.[13] Mobile devices were added in 2009.[6]

For 2012 the rules were changed to a capture-the-flag style competition with a point system,[14] At and Chrome was successfully exploited for the first time, by regular competitor VUPEN.[15] After withdrawing from the contest that year due to new disclosure rules,[16] in 2013 Google returned as a sponsor and the rules were changed to require full disclosure of exploits and techniques used.[17] In that year(2013) a single researcher was able to hack Chrome, Firefox and IE, a trifecta hack.[18] Google ceased to be a sponsor of Pwn2Own in 2015.[19]

Recent years

In 2015, every web browser tested was successfully hacked and every prize won, totaling $557,500. Other prizes such as laptops were also given to winning researchers.[20] In 2018, the conference was much smaller and sponsored primarily by Microsoft, after China banned its security researchers from participating in the contest.[21]

Pwn2Own continues to be sponsored by Trend Micro's Zero Day Initiative, with ZDI reporting vulnerabilities to vendors before going public with the hacks.[3] "One of the largest hacking contests in the world" according to TechCrunch,[22] as of 2019 the contest continues to be held several times a year.[7] Pwn2Own Tokyo was held November 6 to November 7 in Tokyo, Japan, and was expected to hand out $750,000 in cash and prizes.[22] Hacks focus on browsers, virtual machines, computers, and phones.[3] In 2019, the contest added cars for the first time, with $900,000 offered for hacks exploiting Tesla software.[3] In 2019, the contest added industrial control systems.[23]

Award system

Winners of the contest receive the device that they exploited and a cash prize.[7] Winners also receive a "Masters" jacket celebrating the year of their win.

List of successful exploits

The following list of notable hacks is incomplete.

More information Hacker(s), Affiliation ...
Hacker(s)AffiliationYearExploit TargetVersion / OSSource
Dino Dai ZoviIndependent2007QuickTime (Safari)Mac OS X[24][25]
Shane MacauleyIndependent2007QuickTime (Safari)Mac OS X[25][24]
Charlie MillerISE2008Safari (PCRE)Mac OS X 10.5.2[26][27]
Jake HonoroffISE2008Safari (PCRE)Mac OS X 10.5.2[26]
Mark DanielISE2008Safari (PCRE)Mac OS X 10.5.2[26]
Shane MacauleyIndependent2008Adobe Flash (Internet Explorer)Windows Vista Service Pack 1[28]
Alexander SotirovIndependent2008Adobe Flash (Internet Explorer)Windows Vista Service Pack 1[28]
Derek CallawayIndependent2008Adobe Flash (Internet Explorer)Windows Vista Service Pack 1[28]
Charlie MillerISE2009SafariMac OS X[29][27]
NilsIndependent2009Internet Explorer 8Windows 7 Beta[30]
NilsIndependent2009SafariMac OS X[31]
NilsIndependent2009Mozilla Firefox[32]
Charlie MillerISE2010SafariMac OS X[33]
Peter VreugdenhilIndependent2010Internet Explorer 8Windows 7[33]
NilsIndependent2010Mozilla Firefox 3.6Windows 7 (64-bit)[33]
Ralf-Philipp WeinmannIndependent2010iPhone 3GSiOS[33]
Vincenzo IozzoIndependent2010iPhone 3GSiOS[33]
VUPENVUPEN2011Safari 5.0.3Mac OS X 10.6.6[34]
Stephen FewerHarmony Security2011Internet Explorer 8 (32-bit)Windows 7 Service Pack 1 (64-bit)[34]
Charlie MillerISE2011iPhone 4iOS 4.2.1[35]
Dion BlazakisISE2011iPhone 4iOS 4.2.1[35]
Willem PinckaersIndependent2011BlackBerry Torch 9800BlackBerry OS 6.0.0.246[35]
Vincenzo IozzoIndependent2011Blackberry Torch 9800BlackBerry OS 6.0.0.246[35]
Ralf-Philipp WeinmannIndependent2011Blackberry Torch 9800BlackBerry OS 6.0.0.246[35]
VUPENVUPEN2012ChromeWindows 7 Service Pack 1 (64-bit)[15]
VUPENVUPEN2012Internet Explorer 9Windows 7[36]
Willem PinckaersIndependent2012Mozilla Firefox[37]
Vincenzo IozzoIndependent2012Mozilla Firefox[37]
VUPENVUPEN2013Internet Explorer 10Windows 8[38]
VUPENVUPEN2013Adobe FlashWindows 8[39]
VUPENVUPEN2013Oracle JavaWindows 8[39]
NilsMWR Labs2013ChromeWindows 8
JonMWR Labs2013ChromeWindows 8
George HotzIndependent2013Adobe ReaderWindows 8
Joshua DrakeIndependent2013Oracle JavaWindows 8
James ForshawIndependent2013Oracle JavaWindows 8
Ben MurphyIndependent2013Oracle JavaWindows 8
Pinkie PieIndependent2013 (Mobile)ChromeAndroid[40]
Nico JolyVUPEN2014 (mobile)Windows Phone (Internet Explorer 11)Windows 8.1
VUPENVUPEN2014Internet Explorer 11Windows 8.1
VUPENVUPEN2014Adobe Reader XIWindows 8.1
VUPENVUPEN2014ChromeWindows 8.1
VUPENVUPEN2014Adobe FlashWindows 8.1
VUPENVUPEN2014Mozilla FirefoxWindows 8.1
Liang Chen, Zeguang ZhaoKeen team, team5092014Adobe FlashWindows 8.1
Sebastian Apelt, Andreas SchmidtIndependent2014Internet Explorer 11Windows 8.1
Jüri AedlaIndependent2014Mozilla FirefoxWindows 8.1
Mariusz MłyńskiIndependent2014Mozilla FirefoxWindows 8.1
George HotzIndependent2014Mozilla FirefoxWindows 8.1
Liang Chen, Zeguang ZhaoKeen team, team5092014OS X Mavericks, and Safari
Jung Hoon Lee, aka lokihardtIndependent2015Internet Explorer 11, Google Chrome, and Safari[20]
Nico Golde, Daniel KomaromyIndependent2015 (Mobile)Samsung Galaxy S6 BasebandAndroid
Guang GongQihoo 3602015 (Mobile)Nexus 6 ChromeAndroid
2016
2017iPhone 7, othersiOS 11.1
2018
FluoroacetateIndependent2019 (Mobile)Amazon Echo Show 5[41]
Pedro Ribeiro, Radek Domanski Flashback 2019 (Mobile) NETGEAR Nighthawk Smart WiFi Router (LAN and WAN) v3 (hardware) [42]
Pedro Ribeiro, Radek Domanski Flashback 2019 (Mobile) TP-Link AC1750 Smart WiFi Router (LAN and WAN) v5 (hardware) [43]
Mark Barnes, Toby Drew, Max Van Amerongen, and James Loureiro F-Secure Labs 2019 (Mobile) Xiaomi Mi9 (Web Browser and NFC) Android [42]
Mark Barnes, Toby Drew, Max Van Amerongen, and James Loureiro F-Secure Labs 2019 (Mobile) TP-Link AC1750 Smart WiFi Router (LAN and WAN) v5 (hardware) [43]
Yong Hwi Jin, Jungwon Lim, and Insu Yun Georgia Tech Systems Software & Security Lab 2020 (Desktop) Apple Safari, with privilege escalation macOS [44][45]
Richard Zhu Fluorescence 2020 (Desktop) Microsoft Windows Windows [44][45]
Manfred Paul RedRocket 2020 (Desktop) Ubuntu Desktop Ubuntu [44][45]
Amat Cama, Richard Zhu Fluoroacetate 2020 (Desktop) Microsoft Windows Windows [44][45]
Phi Phạm Hồng STAR Labs 2020 (Desktop) Oracle VirtualBox Windows [44][46]
Amat Cama, Richard Zhu Fluoroacetate 2020 (Desktop) Adobe Reader, with privilege escalation Windows [44][46]
Lucas Leong Zero Day Initiative 2020 (Desktop) Oracle VirtualBox Windows [44][46]
STAR Labs 2020 (Tokyo) NETGEAR Nighthawk R7800 (LAN) [47]
Trapa Security 2020 (Tokyo) Western Digital My Cloud Pro Series PR4100 [47]
Pedro Ribeiro, Radek Domanski Flashback 2020 (Tokyo) NETGEAR Nighthawk R7800 (WAN) [47]
84c0 2020 (Tokyo) Western Digital My Cloud Pro Series PR4100 [47]
Viettel Cyber Security 2020 (Tokyo) Samsung Q60T [47]
Trapa Security 2020 (Tokyo) NETGEAR Nighthawk R7800 (LAN) [47]
Pedro Ribeiro, Radek Domanski Flashback 2020 (Tokyo) TP-Link AC1750 Smart WiFi [47]
Bugscale 2020 (Tokyo) Western Digital My Cloud Pro Series PR4100 [47]
84c0 2020 (Tokyo) NETGEAR Nighthawk R7800 (LAN) [47]
F-Secure Labs 2020 (Tokyo) Samsung Q60T [47]
Sam Thomas Pentest Ltd 2020 (Tokyo) Western Digital My Cloud Pro Series PR4100 [47]
Synacktiv 2020 (Tokyo) TP-Link AC1750 Smart WiFi (LAN) [47]
DEVCORE 2020 (Tokyo) Synology DiskStation DS418Play NAS [47]
DEVCORE 2020 (Tokyo) Western Digital My Cloud Pro Series PR4100 [47]
Gaurav Baruah 2020 (Tokyo) Western Digital My Cloud Pro Series PR4100 [47]
Viettel Cyber Security 2020 (Tokyo) Sony X800 [47]
STAR Labs 2020 (Tokyo) Synology DiskStation DS418Play NAS [47]
Jack Dates RET2 Systems 2021 (Vancouver) Apple Safari, with privilege escalation [48]
DEVCORE 2021 (Vancouver) Microsoft Exchange [48]
OV 2021 (Vancouver) Microsoft Teams [48]
Viettel Cyber Security 2021 (Vancouver) Microsoft Windows Windows 10 [48]
Ryota Shiga Flatt Security Inc 2021 (Vancouver) Ubuntu Desktop Ubuntu [48]
Jack Dates RET2 Systems 2021 (Vancouver) Parallels Desktop [48]
Bruno Keith, Niklas Baumstark Dataflow Security 2021 (Vancouver) Google Chrome, Microsoft Edge [48]
Viettel Cyber Security 2021 (Vancouver) Microsoft Exchange [48]
Daan Keuper, Thijs Alkemade Computest 2021 (Vancouver) Zoom Windows [48]
Tao Yan Palo Alto Networks 2021 (Vancouver) Microsoft Windows Windows 10 [48]
Sunjoo Park 2021 (Vancouver) Parallels Desktop [48]
Manfred Paul 2021 (Vancouver) Ubuntu Desktop Ubuntu [48]
z3r09 2021 (Vancouver) Microsoft Windows Windows 10 [48]
Benjamin McBride L3Harris Trenchant 2021 (Vancouver) Parallels Desktop [48]
Steven Seeley Source Incite 2021 (Vancouver) Microsoft Exchange [48]
Billy STAR Labs 2021 (Vancouver) Ubuntu Desktop Ubuntu [48]
Fabien Perigaud Synacktiv 2021 (Vancouver) Microsoft Windows Windows 10 [48]
Alisa Esage 2021 (Vancouver) Parallels Desktop [48]
Vincent Dehors Synacktiv 2021 (Vancouver) Ubuntu Desktop Ubuntu [48]
Da Lao 2021 (Vancouver) Parallels Desktop [48]
Marcin Wiazowski 2021 (Vancouver) Microsoft Windows Windows 10 [48]
Close