Pwn2Own 2019: Hackers earn $200k USD for finding vulnerabilities in smartphones, TVs and smart speakers

Again, the city of Tokyo, Japan is home to the Pwn2Own ethical hacking event, organized by the Zero Day Initiative and, this time, the Fluoracetate hacker team has swept the competition. After two days of the event, the two experts who make up this team accumulated more than $140k USD in rewards for finding and exploiting vulnerabilities in mobile devices of manufacturers such as Xiaomi, Samsung, among others. 

This year’s winning hacker team, made up of Amat Cama and Richard Zhu, began their participation in the event by demonstrating an exploit on a Sony X800G smart TV, earning $15k USD.

Richard Zhu & Amat Cama, Pwn2Own 2019 winners

Subsequently, ethical hacking experts took control of an Amazon Echo Show 5 smart speaker thanks to an overflow of integers in JavaScript, receiving a prize of $60k USD. Other devices hacked by Fluoracetate include a Samsung Q60 smart TV, Xiaomi Mi9 smartphone and Samsung Galaxy S10.

These hackers have taken a wide advantage over the rest of the participants of Pwn2Own 2019, so they are expected to win the Masters of Pwn title, the name of the hacking tournament, for the third year in a row.

The previous year, Fluoracetate generated more than $80k USD from finding vulnerabilities in next-generation devices, such as Apple’s iPhone X, Xiaomi’s smartphone mobile browser, among other devices, claiming as Pwn2Own 2018 winners. 

Although the results of the event were overwhelmingly favorable for Fluoracetate, the rest of the ethical hacking experts who participated also made important findings. The second place in the rankings was for F-Secure Labs, a team that amassed more than $70k USD in rewards for their findings; on the other hand, Flashback, a debuting team at Pwn2Own, took third place, with about $50k USD.

In total, more than $300,000 were given to participating ethical hacking experts; reports on the vulnerabilities found will be sent to the manufacturers of the exploited devices to be corrected within 90 days of the report. 

According to the ethical hacking specialists of the International Institute of Cyber Security (IICS), such events encourage the participation of various members of the cybersecurity community, whether established firms or independent researchers combating the exploitation of vulnerabilities in commonly used hardware and software.

However, it is also a reflection of the multiple security drawbacks present on all kinds of Internet-connected devices, so it is important that ethical hackers encounter these flaws before the threat actors do so.