Behind the Scenes of Pwn2Own Toronto 2022
December 15, 2022 | Brian GorencLast week, we completed our largest Pwn2Own contest ever. We saw 66 entries over four days and witnessed some amazing research resulting in $989,750 USD for 63 unique 0-days. However, leading up to the event was anything but smooth sailing on calm seas. Here’s the wrap video summarizing the event:
When we published the rules, we anticipated quite a bit of interest in both the routers and the SOHO Smashup targets. What we didn’t expect was 85 entries overall. To put some perspective on that number, in 2017, we had 13 total entries in what was (at the time) our largest event ever. We’ve had some growth.
While we were struggling to find a way to run that many attempts in three days, the first of several patches appeared. Most notably, NETGEAR released a fix specifically targeting bugs that were scheduled to be demonstrated during the contest. TP-Link and Sonos also released updates. As a consequence, many contestants withdrew their entries. Our inbox was flooded with questions about various updates and configuration details. At one point, we were down to just over 50 entries. One of our goals with Pwn2Own is to incentivize companies to improve the security of their devices and services, so it’s great to see improvements happen – whether they are a direct result of Pwn2Own entries or pre-emptive patches that stop Pwn2Own entries. It also highlights the skill and ingenuity of the researchers participating in the contest as many had quickly bypassed the patch and re-submitted entries. By the time we started the contest, we had ramped back up to 66 entries scheduled for four days.
Many don’t realize that each attempt needs at least two hours scheduled. The most obvious 30 minutes are the attempt itself. Before the attempt, we need time to set up the test environment. Sometimes that’s as simple as connecting a printer to a switch and giving it an IP address. Other times, it can be quite complex depending on the target. We need time after the attempt, too. The contestants provide ZDI analysts with the details of the bugs they used in their exploit. Pwn2Own is a true 0-day contest, which means it doesn’t qualify for the full award if we already know about the bug. In the past, we’ve seen contestants submit bugs to us and the vendors prior to the event in an attempt to kill their competitor’s bugs. Sometimes it works. Finally, we bring the vendors in to disclose the bugs to them as well. They are allowed to ask questions directly to the researchers about their entry. “How did you find this?” is a popular one. This is another great resource Pwn2Own provides – a bridge between a global network of independent researchers and vendors creating the services and products we all rely on.
Now that we have identified the targets, published the rules, applied the patches, held the drawing, and made the schedule (whew!), we are now ready to run an attempt. A ZDI analyst, sometimes “a gruff-looking bald man with a goatee,” will ask if you are ready, and the countdown begins. Now we find out if your hours and hours of research will work as intended or if something goes awry. Most often, the exploit succeeds and everyone claps. Visually, there’s not a lot to see. We can’t show the screens because we’re dealing with unpatched bugs. We don’t want them unintentionally exposed. Sometimes it fails. Contestants have the opportunity to make changes to their exploit, confirm configurations, ask questions, and try again. Sometimes they triumph on a subsequent attempt, which happened multiple times in this contest. For those interested, here’s a list of the bug types used during the event:
Once the contest is complete, our work continues as we coordinate the release of the patches with the vendors, develop protection rules for the various Trend Micro products we support, and work on paying the winners. While it really is a mountain’s worth of effort, Pwn2Own is one of the highlights of our year. And there’s always another one coming up. Just days before the Toronto event occurred, we announced the rules and targets for our Miami contest, which happens in February.
I’ve literally lost count of how many Pwn2Owns I have participated in. Each one has its own unique story. Each one leaves us a different sort of exhausted. Each one shows us something we’ve never seen before. And that’s why we’ll keep doing them as long as the powers that be allow us to do so. We hope to see you at one someday soon.