Pwn2Own 2019: Hackers Earn $195,000 on Day One for Device Exploits

On the first day of Pwn2Own 2019, an annual hacker competition, participants earned a total of $195,000 for discovering vulnerabilities in TVs, routers, and smartphones. This year, Pwn2Own is being held in Tokyo. The event is organized by the Trend Micro Zero Day Initiative (ZDI), which has allocated a prize pool of $750,000 for researchers.

According to the contest rules, hackers must create working exploits for vulnerabilities in 17 different systems. At the end of the first day of Pwn2Own Tokyo 2019, ZDI reported: “In total, we awarded $195,000 for 12 vulnerabilities. Experts successfully compromised the security of seven devices across five categories nine times.”

Major Achievements on Day One

• Amat Kama and Richard Zhu from Team Fluoroacetate earned $15,000 for hacking the Sony X800G TV. They exploited a JavaScript out-of-bounds read vulnerability in the built-in browser. In theory, an attacker could use this flaw to install a shell on the device by luring the victim to a malicious website.
• Kama and Zhu also received $60,000 for exploiting a vulnerability in the Amazon Echo device.
• They earned an additional $15,000 for compromising the Samsung Q60 TV.
• The Fluoroacetate team pocketed $20,000 for a vulnerability in the Xiaomi Mi9 smartphone. According to the researchers, by tricking a user into visiting a specific website, it was possible to extract photos from the device.
• Kama and Zhu received another $30,000 for an attack that allowed them to steal an image from a Samsung Galaxy S10 using NFC technology.

The Pwn2Own competition continues, with more devices and vulnerabilities expected to be tested in the coming days. The event highlights the importance of security research and the ongoing need to address vulnerabilities in consumer electronics.