The Pwn2Own Toronto 2023 hacking contest kicked off yesterday and participants successfully hacked NAS, printers, mobile phones, and other types of devices, earning a total of more than $400,000 on the first day.
The highest reward of the day went to team Orca of Sea Security, which executed a two-vulnerability exploit chain (out-of-bounds read and use-after-free) against the Sonos Era 100 speaker, earning $60,000.
The Pentest Limited team earned the second highest reward of the day, at $50,000, for an improper input validation exploit targeting the Samsung Galaxy S23 mobile phone.
The team also earned a $40,000 reward for a two-bug exploit chain (denial-of-service and server-side request forgery) leading to the compromise of Western Digital’s My Cloud Pro Series PR4100 network-attached storage (NAS) product.
Two other $40,000 rewards were earned for exploits targeting the Xiaomi 13 Pro mobile phone (team Viettel – single-bug exploit) and the QNAP TS-464 NAS device (team ECQ – a three-bug exploit chain involving a server-side request forgery and two injection flaws).
Vulnerabilities in the Synology BC500 IP camera were also exploited on the first day of the contest, with hackers earning roughly $50,000 for the exploits.
Additional exploits targeting the Xiaomi 13 Pro and the Samsung Galaxy S23 were demonstrated as well and earned the hacking teams more than $40,000 in rewards.
The participating teams and individual hackers also pwned the Canon imageCLASS MF753Cdw and the Lexmark CX331adwe printers, earning more than $60,000 for their exploits.
According to ZDI, not all the exploits demonstrated on the first day of Pwn2Own Toronto 2023 were new, but participants still earned lower-tier rewards for their efforts.
The hacking competition will continue until Friday, with exploits to be demonstrated in the NAS devices, smart speakers, printers, mobile phones, and surveillance systems categories.
Missing from the contest are smart vehicles, which will be present at Pwn2Own Automotive, set to be hosted at the Automotive World conference, in January 2024, in Tokyo, Japan. It will be the first Pwn2Own competition dedicated to automotive.
Related: Mikrotik Belatedly Patches RouterOS Flaw Exploited at Pwn2Own
Related: VMware Patches Critical Vulnerability Disclosed at Pwn2Own Hacking Contest
Related: ZDI Discusses First Automotive Pwn2Own
https://www.securityweek.com/hackers-earn-400k-on-first-day-at-pwn2own-toronto-2023/