Pwn2Own Austin 2021: Phones, Printers, NAS, and more!
August 12, 2021 | Brian GorencIf you just want to read the rules, you can find them here.
Since its inception, our Fall Pwn2Own contest has focused on consumer devices – even as the contest itself has wandered around the world. It started in Amsterdam in 2012 with just mobile phones. The next year, the contest moved to Tokyo to be held concurrently with the PacSec Applied Security conference and, over the years, grew to include TVs, wearable, and smart speakers. Last year, the contest moved to Toronto and expanded again to include Network Attached Storage (NAS) devices. For 2021, we’re on the move again. This year, we’ll be hosting Pwn2Own for our headquarters in Austin, Texas on November 2-4, 2021. For this year’s event, we’re growing again to reflect the home-office environment many currently find themselves in by expanding the router category and implementing the printer category. In all, we’ll have 22 devices available as targets and be offering more than $500,000 USD in prize money.
Similar to how we’ve conducted our last few Pwn2Own events, we will allow remote participation in this inaugural Pwn2Own Austin. As of now, we are planning on having contestants in person if possible. However, if you have either travel restrictions or travel safety concerns, you can opt to compete remotely. You will still need to register before the contest deadline (October 29, 2021) and submit a detailed whitepaper completely explaining your exploit chain and instructions on how to run the entry by November 1, 2021. A member of the ZDI staff in Austin will run your exploit for you. All attempts will be filmed and available for viewing by the contestant and the vendor. As in the past, we will work with remote contestants to monitor the attempt in real-time via a phone call or video chat. Please note that since you are not in person, changes to exploits/scripts/etc. will not be possible, which could lower your chance of winning should something unexpected occur.
Otherwise, the contest will run as we have in the past. We will have a random drawing to determine the schedule of attempts on the first day of the contest, and we will proceed from there. Our intention with allowing remote participation is to provide as many people as possible with the benefits of participating in Pwn2Own while still treating all contestants as equally as possible. As always, if you have questions, please contact us at zdi@trendmicro.com. We will be happy to address your issues or concerns directly.
As for the contest itself, we’re pleased to announce Western Digital has joined us as an Event Partner this year, offering three of its devices as targets. We’ve also signed on Synology to co-sponsor the competition. Western Digital and Synology devices will be prime targets for researchers. Both vendors had NAS devices featured in last year’s event, and we’re thrilled they decided to expand their participation in this year’s contest. Vendor participation remains a key component to the success of these contests. As with our other Pwn2Own competitions, Pwn2Own Austin seeks to harden these consumer-focused devices and their operating systems by revealing vulnerabilities and providing that knowledge to the vendors. As always, the goal is to get these bugs identified and fixed before they’re exploited by threat actors.
The Target Handsets
At its heart, Pwn2Own Austin (once known as Pwn2Own Mobile) looks at mobile phones, and our move to Texas doesn’t change this fact. Here are the target handsets for Pwn2Own Austin 2021:
— Google Pixel 5
— Samsung Galaxy S21
— Apple iPhone 12
As always, these phones will be running the latest version of their respective operating systems with all available updates installed. We’ve increased the rewards on these targets to add further incentives on these handsets.
Printers, Network Attached Storage, Smart Speakers, Televisions, and More
Over the past few years, we’ve been expanding the targets to include more than just mobile phones. Last year, we introduced Network Attached Storage (NAS) devices. This year, we’re including printers as a target. Print spooler bugs have garnered much attention this summer, but what about the devices themselves? We’ll find out, as printers from HP, Lexmark, and Canon will be put to the test.
Here’s the full list of all devices included in this year’s event:
Printers:
— HP Color LaserJet Pro MFP M283fdw
— Lexmark MC3224i
— Canon ImageCLASS MF644Cdw
Home Automation:
— Portal from Facebook
— Amazon Echo Show 10
— Google Nest Hub (2nd Gen)
— Sonos One Speaker
— Apple HomePod mini
Televisions:
— Sony X80J Series - 43”
— Samsung Q60A Series – 43”
Routers:
— TP-Link AC1750 Smart Wi-Fi Router
— NETGEAR Nighthawk Smart Wi-Fi Router (R6700 AC1750)
— Cisco RV340
— Mikrotik RB4011iGS+RM
— Ubiquiti Networks EdgeRouter 4
Network Attached Storage (NAS):
— Synology DiskStation DS920+
— Western Digital My Cloud Pro Series PR4100
— Western Digital 3TB My Cloud Home Personal Cloud
External Storage:
— SanDisk Professional G-DRIVE ArmorLock SSD 1TB
As with the phones, these devices will be updated to the most recent patch level or system update, and all will be in their default configuration.
Pwn2Own Austin Challenges for 2021
Now that you know the devices available, let’s look at the different categories of challenges, starting with the mobile handsets.
Mobile Phone Category
In this category, contestants must compromise the device by browsing to web content in the default browser for the target under test or by communicating with the following short distance protocols: near field communication (NFC), Wi-Fi, or Bluetooth. The awards for this category are:
This category also includes an add-on bonus. If your exploit payload executes with kernel-level privileges, you earn an additional $50,000 and 5 more Master of Pwn points. That means a full iPhone or Pixel browser exploit with kernel-level access will earn $200,000.
Challenges Involving Other Devices
This is our fourth year including other types of consumer and home automation devices, and each year brings new research that exceeds our expectations. Last year we saw NAS devices compromised as a part of the contest. They return along with an expanded routers list and the aforementioned printers. It should be a great contest.
Printer Category
An attempt in this category must be launched against the target’s exposed network services from the contestant’s device. Three of the most popular LaserJet printers are included in this year’s event.
NAS Category
This is the second year for NAS devices at Pwn2Own, and both Synology and Western Digital have returned with their latest offerings. An attempt in this category must be launched against the target’s exposed network services from the contestant’s laptop within the contest network.
For details about the 3TB My Cloud Home Personal Cloud from WD - firmware version 8.xx.xx-xxx (Beta), see the supplemental blog here.
External Storage Category
While not as complex as a NAS server, external storage devices offer a tempting target for attackers. This year’s contest adds a single device in this category. An attempt in this category must be launched against the target’s exposed interfaces and result in arbitrary code execution.
Home Automation Category
Smart speakers continue to play a large part in our daily interactions with music, news, and more. Pwn2Own Austin has five targets available in this category.
Router Category
Past successful entries in this category have demonstrated some flair by having the LED lights flash in different patterns. This year, we add some more sophisticated routers to the list. An attempt in this category must be launched against the target’s exposed network services from the contestant’s device within the contest network.
Contestants can register for attempts against the WAN interface, the LAN interface, or both interfaces on the same device.
Television Category
These days, it’s difficult to find a television set that doesn’t include a web browser and network applications. Pwn2Own Austin 2021 has two devices under test this year.
Master of Pwn
No Pwn2Own contest would be complete without crowning a Master of Pwn, which signifies the overall winner of the competition. Earning the title results in a slick trophy, a different sort of wearable, and brings with it an additional 65,000 ZDI reward points (instant Platinum status in 2022).
For those not familiar with how it works, points are accumulated for each successful attempt. While only the first demonstration in a category wins the full cash award, each successful entry claims the full number of Master of Pwn points. Since the order of attempts is determined by a random draw, those who receive later slots can still claim the Master of Pwn title – even if they earn a lower cash payout. As with previous contests, there are penalties for withdrawing from an attempt once you register for it. If the contestant decides to remove an Add-on Bonus during their attempt, the Master of Pwn points for that Add-on Bonus will be deducted from the final point total for that attempt. For example, someone registers for the Apple iPhone 12 in the Browser category with the Kernel Bonus Add-on. During the attempt, the contestant drops the Kernel Bonus Add-on but completes the attempt. The final point total will be 10 Master of Pwn points.
The Complete Details
The full set of rules for Pwn2Own Austin 2021 can be found here. They may be changed at any time without notice. We highly encourage potential entrants to read the rules thoroughly and completely should they choose to participate.
Registration is required to ensure we have sufficient resources on hand at the event. Please contact ZDI at zdi@trendmicro.com to begin the registration process. (Email only, please; queries via Twitter, blog post, or other means will not be acknowledged or answered.) If we receive more than one registration for any category, we’ll hold a random drawing to determine the contest order. Registration closes at 5:00 p.m. Eastern Daylight Time on October 29, 2021.
The Results
We’ll be blogging and tweeting results in real-time throughout the competition. We’ll also be broadcasting the event live on Twitch and YouTube. Be sure to keep an eye on the blog for the latest information. Follow us on Twitter at @thezdi and @trendmicro, and keep an eye on the #P2OAustin hashtag for continuing coverage.
We look forward to seeing everyone in Austin and online, and we look forward to seeing what new exploits and attack techniques they bring with them.
With special thanks to our Pwn2Own Austin 2021 partner Western Digital for providing their hardware and support. Thanks also go to our Pwn2Own Austin 2021 sponsor, Synology, for providing their assistance and technology.
©2021 Trend Micro Incorporated. All rights reserved. PWN2OWN, ZERO DAY INITIATIVE, ZDI, and Trend Micro are trademarks or registered trademarks of Trend Micro Incorporated. All other trademarks and trade names are the property of their respective owners.