The SOHO Smashup Returns for Pwn2Own Toronto 2023

If you just want to read the rules, you can find them here.

Our consumer-focus Pwn2Own event return to Toronto for 2023. The contest will be held at the Trend Micro office in Toronto on October 24-27. We had a great event last year, and we’re looking forward to another exciting contest. One of the things that made it so great was having so many of the competitors hanging out all day. We had so many fantastic discussions with talented researchers, and in-person attendance was key to that experience. While we are still allowing remote participation, we’ll be reimbursing up to $3,000 for travel expenses for former Pwn2Own winners that choose to come to Toronto to participate. We also will be able to host a limited audience for those who wish to attend and observe the contest, so look out for more information about that in the future.

If you can’t be in Toronto due to travel restrictions or travel safety concerns, you can opt to compete remotely. You will still need to register before the contest deadline (October 19, 2023) and submit your entry, a detailed whitepaper completely explaining your exploit chain, and instructions on how to run the entry by the end of the registration period. A member of the ZDI staff will run your exploit for you. All attempts will be filmed and available for viewing by the contestant and the vendor. As in the past, we will work with remote contestants to monitor the attempt in real-time via a phone call or video chat. Please note that since you are not in person, changes to exploits/scripts/etc. will not be possible, which could lower your chance of winning should something unexpected occur.

As for the contest itself, we’re pleased to announce the return of Synology as a co-sponsor of the event. We’re also excited to announce the return of the “SOHO Smashup” category, where the contestants must start on the external interface of a router, compromise the router, then pivot to another device connected to the network. Last year, the DEVCORE team was the first to succeed in this category by using two different stack-based buffer overflow attacks against a Mikrotik router and a Canon printer – winning $100,000 in the process. We’re also bringing cameras back into the contest under the surveillance category. You may notice we’ve eliminated the router category. We still want to find bugs in these devices, but we’re focusing on the WAN interface in the SOHO Smashup rather than just the LAN interface. Beyond that, the contest remains similar to the event we had last year. We awarded $989,750 during the 2022 event. We’ll see if we can eclipse $1,000,000 this year.

UPDATE: As of September 18, we’re happy to announce Google has also signed on to be a partner for this year’s event. We’ve worked with Google in the past on other Pwn2Own competitions, and we’re happy to include some of their products in a special “Google Devices” category.

As always, we’ll have a random drawing to determine the schedule of attempts on the first day of the contest, and we will proceed from there. Our intention with allowing remote participation is to provide as many people as possible with the benefits of participating in Pwn2Own while still treating all contestants as equally as possible. As always, if you have questions, please contact us at pwn2own@trendmicro.com (note the new address). We will be happy to address your issues or concerns directly.

Now on to the specific target categories. We’ll have seven different categories for this year’s event:

Let’s take a look at each category in more detail, starting with mobile phones.

The original name for this event was “Mobile Pwn2Own” and our focus was strictly on phones. Mobile handsets remain at the heart of this event. As always, these phones will be running the latest version of their respective operating systems with all available updates installed. We’ve increased the rewards on these targets to add further incentives to these handsets.

In this category, contestants must compromise the device by browsing to content in the default browser for the target under test or by communicating with the following short-distance protocols: near field communication (NFC), Wi-Fi, or Bluetooth. The awards for this category are:

The Google and Apple devices in this category also include an add-on bonus. If your exploit payload executes with kernel-level privileges, you earn an additional $50,000 and 5 more Master of Pwn points. That means a full exploit chain that includes kernel-level access will earn $300,000 for the iPhone and $250,000 for the Pixel.

With many working from home, enterprises have found their network perimeter relocate to the home office. Threat actors exploiting home routers and consumer devices can use these as a launch point for lateral movements into enterprise resources. We wanted to demonstrate this during the contest, so we’re bringing back the SOHO Smashup category to show how this could happen. Contestants will need to first compromise the WAN port on a selected router. Once they accomplish that, they will need to pivot to one of the other devices and compromise it as well. The contestant is free to select any combination of router and home automation hub, smart speaker, printer, surveillance systems, or network-attached storage device during the registration process – although you won’t have some of the same easy targets as last year. If they get both devices within 30 minutes, they earn $100,000 and 10 Master of Pwn points. We’re hopeful multiple teams will use this category to choose their own (mis)adventure.

Cameras have become an everyday part of our world, with wireless cameras operating in homes, offices, and stores. Notwithstanding privacy questions, the security of these devices could prove a tempting treat for attackers. An attempt in this category must be launched against the target’s exposed network services or target’s exposed features from the contestant’s laptop within the contest network.

Many of the cameras and other “smart” devices are connected to a centralized hub. From lights to locks to thermostats, cameras, and more, all can be accessed through a home automation hub. Of course, that means a threat actor could potentially access them as well. Some of the most popular smart hubs are included in this year’s event.

Exploits involving printers have made quite a bit of news over the last few years, with ransomware gangs incorporating PrintNightmare bugs in their exploit kits. During last year’s event, one printer ended up playing the theme to Mario. It will be interesting to see what exploits the contestants come up with this year.

Smart speakers continue to play a large part in our daily interactions with music, news, and more. They also offer an attack surface for threat actors to target. For this event, Pwn2Own Toronto has four targets available in this category.

NAS devices make their return to Pwn2Own, and both Synology and Western Digital have returned as targets. We’re also adding the TS-464 from QNAP to this group. An attempt in this category must be launched against the target’s exposed network services from the contestant’s laptop within the contest network.

In addition to the added Google devices in the Surveillance and SOHO Smashup categories, we have a couple of extra targets specifically requested to be added by Google. An attempt in this category must be launched against the target’s exposed network services or the target’s exposed features from the contestant’s laptop within the contest network. 

Master of Pwn

No Pwn2Own contest would be complete without crowning a Master of Pwn, which signifies the overall winner of the competition. Earning the title results in a slick trophy, a different sort of wearable, and brings with it an additional 65,000 ZDI reward points (instant Platinum status in 2024).

For those not familiar with how it works, points are accumulated for each successful attempt. While only the first demonstration in a category wins the full cash award, each successful entry claims the full number of Master of Pwn points. Since the order of attempts is determined by a random draw, those who receive later slots can still claim the Master of Pwn title – even if they earn a lower cash payout. As with previous contests, there are penalties for withdrawing from an attempt once you register for it. If the contestant decides to remove an Add-on Bonus during their attempt, the Master of Pwn points for that Add-on Bonus will be deducted from the final point total for that attempt. For example, someone registers for the Apple iPhone 14 with the Kernel Bonus Add-on. During the attempt, the contestant drops the Kernel Bonus Add-on but completes the attempt. The final point total will be 20 Master of Pwn points.

The Complete Details

The full set of rules for Pwn2Own Toronto 2023 can be found here. They may be changed at any time without notice. We highly encourage potential entrants to read the rules thoroughly and completely should they choose to participate. We also encourage contestants to read this blog covering what to expect when participating in Pwn2Own.

Registration is required to ensure we have sufficient resources on hand at the event. Please contact ZDI at pwn2own@trendmicro.com to begin the registration process. (Email only, please; queries via social media, blog post, or other means will not be acknowledged or answered.) If we receive more than one registration for any category, we’ll hold a random drawing to determine the contest order. Registration closes at 5:00 p.m. Eastern Daylight Time on October 19, 2023.

The Results

We’ll be blogging and tweeting results in real-time throughout the competition. Be sure to keep an eye on the blog for the latest information. Follow us on Twitter at @thezdi and @trendmicro, and keep an eye on the #P2OToronto hashtag for continuing coverage.

We look forward to seeing everyone in Toronto and online, and we look forward to seeing what new exploits and attack techniques they bring with them.

With special thanks to our Pwn2Own Toronto 2023 sponsors, Synology and Google, for providing their assistance and technology.

©2023 Trend Micro Incorporated. All rights reserved. PWN2OWN, ZERO DAY INITIATIVE, ZDI, and Trend Micro are trademarks or registered trademarks of Trend Micro Incorporated. All other trademarks and trade names are the property of their respective owners.