The second day of Pwn2Own 2024, a prestigious cybersecurity competition held in Ireland, has concluded with remarkable results. Security researchers identified 51 zero-day vulnerabilities across various devices, earning over $350,000 in prizes. The total payout for the two-day event, organized by Trend Micro’s Zero Day Initiative (ZDI), has reached an impressive $850,000.
Samsung Galaxy S24 Breach: A Complex Five-Vulnerability Chain
One of the most significant achievements of the competition was the successful attack on Samsung’s flagship smartphone, the Galaxy S24. Ken Gannon from the NCC Group team demonstrated an intricate chain of five vulnerabilities that allowed the installation of malicious software and remote system access. This impressive feat earned the researcher a $50,000 reward.
Interestingly, while substantial bounties of $250,000 were offered for successful exploits against the Google Pixel 8 and Apple iPhone 15, no participants attempted to breach these devices. This absence of attacks may indicate either robust security measures or the complexity of identifying vulnerabilities in these smartphones.
IoT Devices: Prime Targets for Cybersecurity Researchers
Beyond smartphones, participants successfully compromised various smart home and networking devices:
- The DEVCORE Research team earned $40,000 for exploiting the AeoTec Smart Home hub.
- Researchers received an equal amount for demonstrating vulnerabilities in the Synology BeeStation BST150-4T NAS device.
- Another $40,000 was awarded for a chain of exploits that gained access to the QNAP TS-464 NAS through a QNAP QHora-322 router.
The Viettel Cyber Security team leads the competition in both points and prize money, successfully attacking multiple devices, including the popular Sonos Era 300 smart speaker.
Real-World Challenges in Cybersecurity Research
Despite numerous successful demonstrations, some hacking attempts failed, highlighting the unpredictable nature of cybersecurity research in real-world conditions. For instance:
- Teams from Tenable and Synactiv received reduced payouts due to “collisions” – situations where different researchers used identical exploits to breach Lorex 2K and Synology BeeStation devices.
- Experts from DEVCORE, Rapid7, and Neodyme encountered technical difficulties while attempting to attack the Sonos Era 300 speaker and Lexmark CX331adwe printer, resulting in unsuccessful demonstrations.
Pwn2Own 2024 provides valuable insights into the current state of cybersecurity for popular devices. Manufacturers should carefully analyze the competition results and promptly address discovered vulnerabilities to protect users from potential attacks. For consumers, this event underscores the importance of regularly updating device software and adhering to basic digital hygiene practices to minimize risks in an ever-evolving threat landscape.
As the competition concludes, it’s clear that the collaborative efforts of ethical hackers and device manufacturers play a crucial role in strengthening our digital defenses. By identifying and addressing vulnerabilities through events like Pwn2Own, the cybersecurity community continues to stay one step ahead of malicious actors, ensuring a safer digital environment for all.
