🔑 Key Takeaways
- The Zero Day Initiative buys zero-day vulnerabilities from various vendors to enhance their detection system and notify vendors of serious product vulnerabilities, while also providing transparency and fair competition opportunities through Pwn2Own.
- ZDI sets a 120-day deadline for vendors to fix bugs reported by researchers and publicly discloses them if not fixed. Researchers prefer ZDI's process over convincing companies to fix bugs, and ZDI has a reputation in the industry for pressuring vendors to fix bugs quickly.
- Sandboxing isolates websites, but skilled hackers can still find vulnerabilities and escape these safe environments, posing a significant threat to computer security.
- Attackers can use vulnerabilities in operating systems to bypass browser security and earn large sums of money. Companies should offer bigger rewards for bug bounties to encourage vulnerability discovery.
- Zero-day exploits are in high demand, but selling them on the dark web can be risky. Researchers must weigh the ethical implications of selling to exploitative parties, including governments and oppressive regimes.
- Junghoon Lee's creative approach to finding vulnerabilities highlights the importance of continuously testing and improving browser security. The Pwn2Own contest serves as a valuable resource for companies seeking to enhance their products' security.
- Pwn2Own is a competitive hacking contest that tests various enterprise and consumer products with strict rules, including the use of zero-day vulnerabilities. The Master of Pwn title is awarded to the overall winner, and vulnerability collisions can occur.
- Robust security measures are necessary to protect against attackers who can exploit even browsing to a website, and testing virtualization software for security holes is crucial.
- Pwn2Own Contest highlights the need for constant innovation to combat vulnerabilities and hackers' increasing sophistication in attacking technology.
- Hackers can gain control of phones by exploiting vulnerabilities in the baseband processor, showcasing the need for improved technology security as more devices become integrated into our personal and private lives.
- Pwn2Own contest is an annual event that provides a platform for researchers worldwide to identify zero-day vulnerabilities in secure software, thereby improving cybersecurity. The contest has evolved over time, bringing together top-tier hackers who demonstrate their skills and guide other researchers in specific areas.
- Radek and Pedro team up to find vulnerabilities in hardware devices like routers, catalog their findings to help companies, and aim to achieve remote code execution. Their success stems from their specialized areas of expertise and critical analysis.
- Team Flashback is driven by a desire for respect and recognition from their peers in the cybersecurity field, rather than financial gain. They prioritize ethical hacking and adhere to the rules, earning around 200k as a side job while striving to be known as the best hackers in the world.
- Regular software patches released by organizations like ZDI can make zero-day exploits useless. The prestigious Pwn2Own event has shifted to company-supported teams, and some governments discourage sharing exploits with foreign countries. Radek and Pedro won the Masters of Pwn contest and plan to continue hacking.
📝 Podcast Summary
The World's Largest Bug-Bounty Program
The Zero Day Initiative is the world's largest vendor agnostic bug-bounty program, buying zero-day vulnerabilities from various vendors across the spectrum of IT. Although a lot of software vendors have their own bug-bounty program, they don't give ZDI any money for the bugs that ZDI reports. ZDI tries to enrich the vulnerabilities that their intrusion detection system can detect by buying bugs, and at the same time, they notify the vendor that there's a serious vulnerability in their product that needs to be fixed now. The vendors can know who the researcher was that found the bug by going to ZDI. The winner of Pwn2Own hacker competition can say they are the best hacker in the world because it's a prestigious event with high-paying rewards, fair and transparent rules and it's open for anyone in the world to compete.
ZDI's bug reporting and disclosure process
ZDI is a known entity that puts pressure on vendors to quickly fix bugs reported by researchers by giving them a 120-day deadline. If the vendor doesn't fix the problem within the given time frame, ZDI publicly discloses it, which has given them a reputation in the industry. Researchers prefer to submit bugs to ZDI as they don't want to go through the hassle of convincing the company to fix it. Sometimes the vendor disagrees with the severity of the bug, and ZDI has to go public with it to change their mind. ZDI also offered a $10,000 reward at CanSecWest conference to anyone who could hack into a fully-updated MacBook Air without the user doing anything, and Dino Dai Zovi won the reward.
Pwn2Own Contest and the Challenge of Escaping Browser Sandboxes
The Pwn2Own contest is an annual event where contestants exploit bugs in fully updated web browsers on various operating systems, attempting to take over the computer without any user interaction other than browsing to the attacker's website. Sandboxing is a method used by modern browsers to render websites in a safe environment without allowing interaction with other parts of the computer, making it difficult for attackers to take over the system. Escaping the sandbox is a significant challenge for attackers, as demonstrated by the Vupen team, who successfully exploited a use-after-free vulnerability and escaped the sandbox to take over a Google Chrome browser during the Pwn2Own contest. Overall, the contest highlights the ongoing battle between attackers and defenders in the constantly evolving landscape of cybersecurity threats.
Exploiting Undocumented Features in Operating Systems to Escape Chrome Sandbox.
Undocumented features within operating systems can be exploited to load com controls onto the clipboard and execute attacker control codes outside of the sandbox, making it possible to escape the Chrome sandbox when browsing. Vupen's successful display of this vulnerability in a major browser earned them $100,000 for the proof of concept and provided important insights for vendors, researchers, and law enforcement agencies. While bug bounties exist, the payout for a single bug rarely reaches $100,000, with most vendors offering much less. It is possible to chain a few different exploits together to make the payout more lucrative, but these vulnerabilities are becoming more difficult to find.
The Lucrative Market for Zero-Day Exploits
The market for zero-day exploits is becoming increasingly common and lucrative, with vendors sometimes paying double for researchers to focus on a particular product. While the dark web is one place to sell such exploits, it is risky and shady, and it's hard to know if the buyer is a legitimate party. Law enforcement agencies also buy zero-day exploits, such as the NSA and FBI who have used them to hack into phones. There are also mercenary groups who work for the highest bidder to hack into a target. Researchers face ethical dilemmas over whether to sell to brokers or exploiters and potentially contribute to oppressive regimes monitoring people, and some have reservations.
The Not-So-Normal Techniques of a Skilled Hacker
Junghoon Lee, also known as Lokihardt, is a skilled hacker who uses a unique approach to find vulnerabilities in various browsers. His exploits were based on race conditions and unique bugs that were not found using normal fuzzers and testing techniques. One of his most interesting exploits was an IE exploit where he used the on-screen keyboard to execute commands on the actual operating system. He won a large payout of $110,000 and a job offer from Google for his exceptional work. The Pwn2Own contest is beneficial for browser companies as it provides them with research and data to improve the security of their products. The contest has expanded to include applications and other technologies.
What You Need to Know About Pwn2Own Hacking Contest
Pwn2Own is an annual hacking contest that tests the security of enterprise products, consumer products, ICS, and SCADA products. Vendors can't opt-out of the contest even if they want to. Firefox was once excluded from the contest because it wasn't making significant security improvements. Pwn2Own is very competitive, with the introduction of the Master of Pwn title to crown the overall winner of the contest. Large teams from companies, such as Tencent and 360, participate in the contest to try to win the Master of Pwn award. Rules in the contest require the use of a zero-day vulnerability, and vulnerability collisions can occur when more than one researcher submits the same vulnerability.
The cutthroat competition of finding software vulnerabilities
The Master of Pwn competition involves finding software vulnerabilities and exploiting them for points, but as the competition has grown in importance, rival teams have started reverse-engineering each other's research and submitting bugs to vendors before the contest. Not only is the title of Master of Pwn highly sought after, but it also comes with a trophy and jacket. In one notable case, a team used an exploit in a virtual machine to take over the host operating system, showing the importance of testing virtualization software for security holes. It is important to have robust security measures in place, as even browsing to a website can be a way for attackers to take control of a computer.
Pwn2Own Contest: Finding Security Vulnerabilities in Technologies
Pwn2Own is a contest, where teams compete to demonstrate security vulnerabilities in various technologies. Richard Zhu and Amat Cama won $70k for exploiting the Edge browser and Richard Zhu won $105k for demonstrating an attack chain. The latter exploit allowed him to escape a virtual machine and gain access to the host computer. Teams like Fluoroacetate, made up of Zhu and Cama, find and report bugs to improve security. Amat's expertise is in exploiting baseband processors in phones, which Pwn2Own now has a category for. The contest is important because it highlights the need for constant innovation to combat vulnerabilities and the increasing sophistication of hacking attacks.
Fluoroacetate Dominates Pwn2Own Hacking Contest with Phone Vulnerability Exploits
Hackers can exploit vulnerabilities in the baseband processor of phones to gain code execution, which allows them to take over the phone. Fluoroacetate, a team of researchers, dominates in the Pwn2Own hacking contest by finding vulnerabilities in technology, including retrieving deleted content from a phone's cache and exploiting a vulnerability in a browser to take over a phone just by visiting a malicious website. They even received Tesla head units to hack into, but Amat accidentally fried one by plugging it into the wrong outlet. Fluoroacetate's research highlights the need for continued improvement in technology security as more technology is integrated into our personal and private lives.
The Evolution and Significance of Pwn2Own Contest for Cybersecurity Researchers.
Pwn2Own is an exciting contest that brings out bugs that should have been fixed. This contest allows researchers to guide other researchers in specific areas. The contest has evolved over time from small teams, individuals to small companies, and now back to small individual researchers. Although not a spectator sport, Pwn2Own is a place to demonstrate that you are one of the top-tier hackers in the world. Team Flashback, Masters of Pwn in 2020, are a team that specializes in hardware hacking. They met while Radek hired Pedro as an external consultant and then decided to participate in all the Pwn2Own opportunities. The contest brings together some of the brightest minds in the world against some of the most secure software to find zero-day vulnerabilities.
Collaborative Efforts in Efficient Vulnerability Detection
Radek and Pedro are professionals in the security field who team up to efficiently find vulnerabilities in products. They focus on hardware devices like routers and work together to achieve remote code execution. While they have overlaps in finding vulnerabilities, they also have specific areas where they excel - Radek on the hardware side and Pedro on writing exploits. They catalog all the vulnerabilities they find to help companies and for Pwn2Own, their goal is to gain control of the device and gain remote code execution by any means possible. They developed a fully-functional remote code execution on a home router by scrutinizing each service for vulnerabilities and crafting a packet that the router would process and execute.
Team Flashback's Motivation for Participating in Pwn2Own
Team Flashback, who has won Masters of Pwn in Pwn2Own, is not motivated by money but by respect and recognition from their peers in the cybersecurity field. They have developed dangerous exploits, including one that can give root shell access to any router on the internet. Despite being able to make more money in the gray market, they participate in Pwn2Own and play by the rules. They have earned around 200k in a year from their side job as hackers. Their motivation is to prove that they are the best hackers in the world and to be respected by their peers. Money is not their primary motivation, but it's always good to have some in their pocket.
The Game of Zero-day Exploits and the Role of Cybersecurity Organizations and Hacker Groups.
Zero-day exploits are highly valuable, and some hackers may keep them secret for the purpose of selling them to governments and mercenary hacker groups. However, organizations like ZDI help level the playing field by making these exploits useless through regular software patches. Pwn2Own is one of the most prestigious and high-paying hacking events but has shifted from independent researchers to company-supported teams. Some governments discourage security researchers from sharing exploits with foreign countries. While there are certainly better hackers out there, Radek and Pedro have discovered over 200 zero-day exploits and won the Masters of Pwn contest. They celebrate by planning to hack more stuff in the future.