Pwn2Owna hacker conference taking place this year in Vancouver, has already handed out almost a million dollars in prizes to those who managed to compromise systems. Windows 11, el Tesla Model 3 and the free operating system Ubuntu suffered the three biggest hacks.
Pwn2Own is a hacking contest held annually at the CanSecWest security conference. First held in April 2007 in Vancouver, the contest now takes place twice a year.
The idea is that participants can exploit widely used software and mobile devices with previously unknown vulnerabilities to warn the community and IT security specialists. The first participant to complete the course of vulnerabilities wins the prize and closes the category for everyone else.
By the end of the second day, the conference had paid $945,000 in rewards, including $75,000 to attackers from offensive security firm Synacktiv for two unique bugs found in the Tesla Model 3 infotainment system owned by the world’s richest man, Elon Musk.
The bugs allowed the attackers to take over some of the car’s systems.
Browsers and virtualization were seen as similarly uninteresting, apparently with only one participant each competing with Firefox and Safari, and a lone hacker testing VirtualBox.
Windows 11 and Ubuntu Linux attracted seven and five entries respectively; four contestants tried out on Teams; and two they tried to break various functions of the Tesla 3.
Zero Day Initiative also ended up buying a vulnerability in Tesla Model 3 Diagnostic Ethernet and making it known to the automaker.
The bugs discovered
On the first day of Pwn2Own, hackers made $800,000 after successfully exploiting 16 zero-day bugs to hack multiple products, including Microsoft’s Windows 11 operating system and Teams communication platform, Ubuntu Desktop, Apple Safari, Oracle Virtualbox and Mozilla Firefox.
On the second day, the contestants won $195,000 after demonstrating faults in the Telsa Model 3 infotainment system, Ubuntu Desktop y Microsoft Windows 11.
Security researchers demonstrated six Windows 11 exploits during the contest, hacked Ubuntu Desktop four times, and demonstrated three Microsoft Teams zero-days. They also reported several bugs in Apple Safari, Oracle Virtualbox, and Mozilla Firefox.
After vulnerabilities are exploited and reported during Pwn2Own, vendors have 90 days to release security fixes until Trend Micro’s Zero Day initiative disclose them publicly.
The competition, which celebrated its 15th anniversary this year, featured 17 entrants from dozens of cybersecurity companies taking aim at 21 different products across multiple categories. STAR Labs led the way at the end of the second day with total winnings of 270 thousand dollars.