October 25, 2023 at 12:16PM
The Pwn2Own Toronto 2023 hacking contest started and participants successfully hacked various devices, earning over $400,000 on the first day. Team Orca of Sea Security earned the highest reward of $60,000 by exploiting vulnerabilities in the Sonos Era 100 speaker. Other devices targeted included the Samsung Galaxy S23, Western Digital’s My Cloud Pro Series PR4100, Xiaomi 13 Pro, QNAP TS-464 NAS, Synology BC500 IP camera, Canon imageCLASS MF753Cdw, and Lexmark CX331adwe printers. The contest will continue until Friday. Smart vehicles will be featured in the first dedicated Pwn2Own Automotive competition in January 2024.
During the Pwn2Own Toronto 2023 hacking contest, participants successfully hacked various devices including NAS, printers, mobile phones, and more. On the first day, they earned over $400,000 in total.
Team Orca of Sea Security received the highest reward of $60,000 for executing a two-vulnerability exploit chain on the Sonos Era 100 speaker. The vulnerabilities were an out-of-bounds read and use-after-free.
Pentest Limited earned the second highest reward of $50,000 for an improper input validation exploit targeting the Samsung Galaxy S23 mobile phone. They also earned an additional $40,000 for a two-bug exploit chain on Western Digital’s My Cloud Pro Series PR4100 NAS device.
Other exploits included a $40,000 reward for a single-bug exploit on the Xiaomi 13 Pro mobile phone by team Viettel and a three-bug exploit chain on the QNAP TS-464 NAS device by team ECQ, earning them the same reward.
Hackers also targeted the Synology BC500 IP camera and earned around $50,000 for the exploits. Additional exploits on the Xiaomi 13 Pro and Samsung Galaxy S23 earned the teams over $40,000.
The Canon imageCLASS MF753Cdw and Lexmark CX331adwe printers were also hacked, earning the participants over $60,000.
While not all exploits demonstrated were new, participants still received lower-tier rewards for their efforts, according to ZDI.
The hacking competition will continue until Friday, showcasing exploits in various categories such as NAS devices, smart speakers, printers, mobile phones, and surveillance systems.
It’s worth noting that smart vehicles are not part of this contest but will be featured in the upcoming Pwn2Own Automotive event, which will take place in January 2024 in Tokyo, Japan.