On March 22, 2023, some of the world’s most proficient hackers gathered in Vancouver, Canada for the Pwn2Own hacking competition, organized by the Trend Micro Zero-Day Initiative (ZDI). The goal of the competition is to find and exploit zero-day vulnerabilities in pre-determined tech targets, with the ultimate aim of improving security for everyone. This year’s event saw some of the biggest names in tech, including Apple macOS, Microsoft Windows 11, Microsoft SharePoint, Ubuntu Desktop, Tesla Gateway, Adobe Reader, and Oracle VirtualBox, all falling to the elite hackers.
With over $1 million in prizes up for grabs, the hackers had a strict time limit in which to successfully exploit each target. The Synacktiv team was able to successfully hack both the Apple macOS kernel and the Tesla Gateway, while the STAR Labs team executed a successful chained exploit against Microsoft SharePoint and Ubuntu Desktop. AbdulAziz Hariri from Haboob SA hacked Adobe Reader using an impressive six-vulnerability chain exploit, while Bien Pham from Qrious Security successfully executed an exploit against Oracle VirtualBox. Marcin Wiazowski managed to execute an elevation of privileges attack against Windows 11 successfully.
The competition continues until March 24th, with more targets, including Microsoft Teams and VMWare Workstation, still to be tested. The Pwn2Own competition has been running since 2005, and has proven to be an effective way of discovering and fixing zero-day vulnerabilities in a wide range of software and hardware products.
One might ask how this could be a good thing. The answer is simple: every vulnerability exploited by these zero-day hackers is immediately turned over to the vendor in question in order for them to fix the issue. Patches are then released before any technical information of merit is disclosed to the public to ensure less ethical actors cannot maliciously exploit the vulnerabilities. None of the zero-days are either sold or redistributed by ZDI. In this way, the competition acts as a catalyst for improving security, not only for the tech targets in question, but for the wider industry as a whole.
The competitive nature of the Pwn2Own event also serves as an incentive for security researchers to develop their skills, with points awarded for successful exploits being added to a Masters of Pwn leaderboard. The cash prizes on offer are also impressive, with winnings ranging from $30,000 to $140,000, depending on the target and the nature of the exploit.
Overall, the Pwn2Own Vancouver 2023 competition demonstrates the importance of constantly testing and improving software and hardware security. By bringing together some of the world’s best hackers, the event acts as a catalyst for identifying and fixing vulnerabilities, ultimately making the digital world a safer place for everyone.
