Information security researchers who took part in this week’s Pwn2Own hacking contest walked away with more than $ 500,000 in award money after finding vulnerabilities in every major Internet browser. In addition to finding bugs in Internet Explorer 11, Mozilla Firefox, Apple Safari and Google Chrome, the contest winners also identified vulnerabilities in the Windows operating system, Adobe Reader and Adobe Flash.
Held annually during the CanSecWest security conference, the Pwn2Own contest also awards the winners with the devices they hacked. First held in 2007, this year’s competition featured seven individual and group contestants who tackled a variety of Windows-based and Mac OS X-based targets over the course of two days at CanSecWest 2015 in Vancouver.
During each of the 12 challenges, researchers and research teams had 30 minutes to demonstrate exploits on the various Windows and Mac OS targets. By the end of the competition, contestants had uncovered five bugs in the Windows OS; four bugs in IE 11; three bugs each in Firefox, Reader and Flash; two bugs in Safari; and one bug in Chrome. The big winner was JungHoon Lee, who goes by the hacker handle lokihardt and broke the all-time Pwn2Own award record.
$ 317,500 in Day One Awards
Named for the fact that competitors must hack or “pwn” a device to win it, Pwn2Own was first organized by security consultant Dragos Ruiu because of his concerns over unaddressed Apple vulnerabilities. This year’s contest was sponsored by HP’s Zero Day Initiative with support from Google’s Project Zero.
Researchers taking part in this year’s Pwn2Own included Lee; a hacker known only as ilxu1a; and individual researchers Nicolas Joly, Mariusz Mlynski and Arnaud Lubin. A number of teams also participated jointly in several challenges.
On Wednesday, Day One of the contest, Team509 and KeenTeam earned $ 60,000 for exploiting a Flash bug and garnered a $ 25,000 bonus for leveraging a local privilege escalation. Joly was awarded $ 30,000 for finding another Flash vulnerability, then took another $ 60,000 for an Adobe Reader exploit. Working with Tencent PCMgr, KeenTeam won another $ 55,000 for finding an Adobe Reader bug.
Other Day One winners included Mlynski, who earned $ 55,000 for a Firefox exploit, and the 360Vulcan Team, which was awarded $ 32,500 for exploiting a vulnerability with 64-bit Microsoft Internet Explorer 11.
‘Wow’ Just Isn’t Enough
On Day Two, Lee (lokihardt) walked away with a total of $ 225,000 for finding and exploiting three separate vulnerabilities: a time-of-check to time-of-use vulnerability in IE 11 (earning $ 65,000 in award money), a bug that affects both the stable and beta versions of Google Chrome ($ 110,000) and a use-after-free vulnerability in Apple Safari ($ 50,000).
Lee’s Chrome award was not only the single largest in this year’s competition, but the biggest ever in Pwn2Own history. “To put it another way, lokihardt (Lee) earned roughly $ 916 a second for his two-minute demonstration,” wrote Dustin Childs in a post on the HP Security Research Blog. “There are times when ‘Wow’ just isn’t enough.”
In other Day Two challenges, ilxu1a earned $ 15,000 for exploiting a Mozilla Firefox bug and came close to launching a Google Chrome exploit before running out of time.
At the end of every Pwn2Own, all the relevant vendors are informed of the vulnerabilities identified via the Zero Day Initiatives “Chamber of Disclosures.” The exploits are made public after the affected companies have issued patches for the bugs.