Announcing Pwn2Own Tokyo for 2018

September 04, 2018 | Brian Gorenc

This is the time of year we at the Zero Day Initiative (ZDI) typically announce the targets and rules for our annual Mobile Pwn2Own competition. While we still want to find the latest and greatest security research in the mobile phone space, we also wanted to expand the scope of our fall contest. This year, we’re introducing an Internet of Things (IoT) category as a reflection of our daily interaction with connected devices beyond smartphones. And, now that we’re beyond just mobile devices, the name of the event has been updated as well.

Pwn2Own Tokyo will take place on November 13 – 14 during the PacSec conference, which is held at the Aoyama St. Grace Cathedral in Tokyo, Japan. More than $500,000 USD in cash and prizes are available to researchers with ten different devices available as targets in a total of five different categories. Similar to our Pwn2Own contest held in Vancouver, this edition of Pwn2Own seeks to highlight the latest security research in the devices that surround us – even if we forget those devices are present. As with the spring edition, Pwn2Own Tokyo seeks to harden these devices and their OSes by revealing vulnerabilities and providing that research to the vendors. As always, the goal is to get these bugs fixed before they’re actively exploited.

The Target Handsets

The mobile devices for this year’s contest will be as follows:

Google Pixel 2
Samsung Galaxy S9
Apple iPhone X
Huawei P20
Xiaomi Mi6

All of these phones will be running the latest version of their respective operating systems with all available patches installed.

The IoT Targets

The IoT devices we’re introducing this year are:

Apple Watch Series 3
Amazon Echo (2nd Generation)
Google Home
Nest Cam IQ Indoor
Amazon Cloud Cam Security Camera

All of these devices will be updated to the most recent patch level or system update, and all of them will be in their default configuration.

The Pwn2Own Tokyo Challenges

This year, we have five categories of challenges open to contestants.

In this category, a successful entry will get code execution on the device without user interaction. The awards for this category are:

Target Cash Prize (USD) Master of Pwn  Points
Apple Watch $60,000 10
Amazon Echo $60,000 10
Google Home $60,000 10
Nest Cam IQ Indoor $40,000 8
Amazon Cloud Cam Security Camera $40,000 8

In this category, contestants will target the default web browser of each particular handset. The awards for this category are:

Target Cash Prize (USD) Master of Pwn Points
Huawei P20 $25,000 6
Xiaomi Mi6 $25,000 6
Samsung Galaxy S9 $25,000 6
Apple iPhone X $50,000 8
Google Pixel 2 $50,000 8

Short Distance
In this category, we’ll be looking at attacks happening over Wi-Fi, Bluetooth, or near field communication (NFC). The awards for this category are:

Target Cash Prize (USD) Master of Pwn Points
Huawei P20 $30,000 6
Xiaomi Mi6 $30,000 6
Samsung Galaxy S9 $30,000 6
Apple iPhone X $60,000 10
Google Pixel 2 $60,000 10

Attacks in this category will take place by viewing or receiving a MMS or SMS message. The awards for this category are:

Target Cash Prize (USD) Master of Pwn Points
Huawei P20 $40,000 8
Xiaomi Mi6 $40,000 8
Samsung Galaxy S9 $40,000 8
Apple iPhone X $75,000 10
Google Pixel 2 $75,000 10

The final category will cover attacks where the target device communicates with a rogue base station. The awards for this category are:

Target Cash Prize (USD) Master of Pwn Points
Huawei P20 $50,000 15
Xiaomi Mi6 $50,000 15
Samsung Galaxy S9 $50,000 15
Apple iPhone X $150,000 20
Google Pixel 2 $150,000 20

Two of the categories, Browser and Short Distance, have additional bonuses available for researchers to target. Successfully meeting these additional challenges brings extra cash awards and more Master of Pwn points. The first add-on bonus is a Kernel Bonus, in which the exploit payload must execute with kernel-level privileges. Earning this bonus results in an extra $20,000 and an additional 2 Master of Pwn points. The Persistence Bonus is available on the Apple iPhone X and the Google Pixel 2. For this bonus, the exploit payload must survive a reboot of the device. On the iPhone, this earns the contestant an additional $50,000 while successfully persisting on the Google Pixel 2 device will earn an extra $25,000. For either phone, the Persistence Bonus earns an additional 3 Master of Pwn points.

Master of Pwn

No Pwn2Own contest would be complete without crowning a Master of Pwn, which signifies the overall winner of the competition. Earning the title, trophy, and fabulous jacket comes with an additional 65,000 ZDI reward points.

Master of Pwn Trophy from 2017

For those not familiar with how it works, points are accumulated for each successful attempt. While only the first demonstration in a category wins the full cash award, each successful entry claims the full number of Master of Pwn points. Since the order of attempts is determined by a random draw, those who receive later slots can still claim the Master of Pwn title. To add to the intrigue, we’ve added penalties for withdrawing from an attempt.  If the contestant decides to remove an Add-on Bonus during their attempt, the Master of Pwn points for that Add-on Bonus will be deducted from the final point total for that attempt. For example, someone registers for Safari Browser with the Kernel Bonus Add-on. During the attempt, the contestant drops the Kernel Bonus Add-on but successfully completes the Safari Browser attempt. The final point total will be 6 Master of Pwn points.

If a contestant decides to withdraw from the registered attempt prior to the actual attempt, the Master of Pwn points for that attempt will be divided by 2 and deducted from the contestant's point total for the contest. Since Pwn2Own is now often a team competition, along with the initial deduction of points, the same number of Master of Pwn points will also be deducted from all contestants from the same company.

The Complete Details

The full set of rules for Pwn2Own Tokyo 2018 are available here. They may be changed at any time without notice. We encourage entrants to read the rules thoroughly and completely should they choose to participate.

Registration is required to ensure we have sufficient resources on hand at the event. Please contact ZDI at to begin the registration process. (Email only, please; queries via Twitter, blog post, or other means will not be acknowledged or answered.) If we receive more than one registration for any category, we’ll hold a random drawing to determine contestant order. Registration closes at 5:00 p.m. Japan Standard Time on November 7, 2018.

The Results

We’ll be live blogging and tweeting results throughout the competition. Be sure to keep an eye on the blog for the latest results. Follow us on Twitter at @thezdi and @trendmicro, and keep an eye on the #P2OTokyo hashtag for continuing coverage.

We look forward to seeing everyone in Tokyo, and we look forward to seeing what new exploits and attack techniques they bring with them.


Please direct all media inquiries to or call +1 (817) 522-7911.



©2018 Trend Micro Incorporated. All rights reserved. PWN2OWN, ZERO DAY INITIATIVE, ZDI and Trend Micro are trademarks or registered trademarks of Trend Micro Incorporated. All other trademarks and trade names are the property of their respective owners.