Pwn2Own Ireland 2024, a hacking competition organised by Trend Micro’s Zero Day Initiative (ZDI), has already paid out almost $850,000. On the first day, participants earned a total of $516,250, and on the second day, awards over $350,000 were given out—including $50,000 to Ken Gannon, a security consultant at the NCC Group, for an exploit chain attack targeting Samsung’s latest flagship Galaxy S24.
Samsung’s favourite son isn’t the only target at Pwn2Own 2024. ZDI has also offered rewards of up to $250,000 for the Pixel 8 and iPhone 15. However, no one has signed up to breach these devices yet. There’s one more day left of the competition, so there’s a chance we might just see an exploit targeting these devices.
Ganon’s exploit of the S24 involved exploiting five vulnerabilities, including a path traversal to deploy a shell on the S24 and install an app. He’s the only one who has attempted and successfully hacked a phone at the event so far.
Other devices breached at the event include Canon and HP printers, Lorex and Ubiquity cameras, and QNAP and Synology NAS devices. A reward of $41,750 was given for an exploit of the Synology BeeStation BST150-4T NAS and separately for an exploit chain attack targeting a QNAP TS-464 NAS via a QNAP QHora-322 router. Two Sonos Era 300 smart speaker hacks were also awarded $30,000 each.
Results for day three of the event are still pouring in on ZDI’s blog. So far, the QNAP TS-464 NAS has been breached again with a command injection bug, resulting in a $10,000 award. Synology BeeStation was also exploited via a combined CRLF Injection, an Auth Bypass, and an SQL Injection attack, resulting in a $20,000 award. A Lexmark printer was breached with a combination of an OOB Write and a memory corruption bug via the QNAP QHora-322 router, resulting in a $25,000 reward.
In the News: LinkedIn fined €310 million by Ireland for data violation