Contestants at the Pwn2Own Tokyo 2019 took down an impressive number of high-profile products during the competition’s first two days, including a Sony smartTV, Netgear router and an Amazon Echo Show 5.
The two-day event paid contestants a total of $315,000 with Team Fluoroacetate, Amat Cama and Richard Zhu, being named Masters of PWN.
Day One, November 6, saw more than $195,000 awarded for 12 bugs that were found. Overall, those participants had nine successful attempts against seven targets in five categories, several of which were new for 2019.
The first day was dominated by the eventual event winners Team Fluoroacetate. Team members took on and dominated two SmartTVs, a home assistant, and a Xiaomi Mi9 and Samsung Galaxy S10 smartphones. This was the first hack of a television in Pwn2Own history. T
Team F- Secure Labs, Mark Barnes, Toby Drew, Max Van Amerongen, and James Loureiro, also went up against the Xiaomi Mi9 handset in the Web Browser category where it had partial success using a couple of chained logic bugs.
Newcomers to the field Team Flashback, Pedro Ribeiro and Radek Domanski, targeted the LAN interface of the NETGEAR Nighthawk Smart Wi-Fi Router (R6700), the router category also being new this year. They successfully used a stack-based buffer overflow to get a shell on the router which was worth $5,000.
Their next target was a TP-Link AC1750 Smart Wi-Fi router. Here they used a total of three different bugs to inject their code on the device.
Fluoroacetate was back in the news again on Day 2 again targeting a Samsung S10, but this time using a rogue base station used a stack overflow to push their file onto the target handset. The successful demonstration earned them $50,000 and 5 Master of Pwn points. They again targeted the S10 employing a an integer overflow along with a UAF for the sandbox escape to exfiltrate a picture off the phone.
The TP-Link AC1750 Smart Wi-Fi router was again in Team Flashback’s sites. This time the exploit chosen used a stack overflow combined with a logic bug to gain code execution on the device. This earned them $20,000 and one more point towards Master of Pwn.
F-Secure Labs also took on the TP-Link AC1750 combining a comment injection bug with some insecure defaults to gain code execution on the device gaining $20,000. And seemingly for fun this team also punished Xiaomi Mi9 using a crafted NFC tag to trigger an XSS bug allowing them to send a photo from that phone to another. Doing so earned the team another $30,000.