summed up results Four days of the PWN2WN Toronto 2022 competitions, on which 63 previously unknown vulnerabilities (0-day) were demonstrated in mobile devices, printers, smart columns, storage systems and routers. During the attacks, the latest firmware and operating systems with all available updates were used and in default configuration. The total amount of remuneration paid amounted to 934.750 US dollars.
in the competition, 36 teams and security researchers took part in the competition. The most successful Devcore team managed to earn 142 thousand US dollars in competitions. The holders of the second place received 82 thousand dollars, and the third (NCC Group) – 78 thousand dollars.
In the course of the competition, attacks were demonstrated that led to the remote performance of the code on the devices:
- Canon ImageClass MF743CDW printer (11 successful attacks, awards of $ 5000 and $ 10000).
- Lexmark Mc3224I printer (8 attacks, prizes of $ 7500, $ 10,000 and $ 5000).
- Ubiquiti printer ($ 50,000).
- Printer HP Color Laserjet Pro M479FDW (5 attacks, bonuses $ 5000, $ 10,000 and $ 20,000).
- Smart column Sonos One Speaker (3 attacks, awards $ 22500 and $ 60000).
- Synology Diskstation DS920+ (two attacks, prizes $ 40,000 and $ 20,000).
- WD My Cloud Pro PR4100 network store (3 prizes $ 20,000 and one prize $ 40000).
- Synology RT6600AX router (6 attacks via WAN with prizes $ 20,000 and $ 5000, and one prize of $ 1250 for attack via LAN).
- Cisco router ($ 37500).
- Mikrotik router ($ 100,000).
- Netgear RAX30 AX2400 router (7 attacks, bonuses $ 1250, $ 2500, $ 5000, $ 7500, $ 8500 and $ 10,000).
- TP-Link AX1800 router (attack via WAN, $ 20,000 prize, and attack through LAN, prize $ 5000).
- Samsung Galaxy S22 (4 attacks, three prizes $ 25000 and one prize $ 50,000).
).
In addition to the above successful attacks, 11 attempts to operate vulnerabilities ended in failure. The competitions also were proposed hack the Apple iPhone 13 and Google Pixel 6, but there were no applications for attacks, although the maximum amount of remuneration for the preparation of an exploit that allows you to execute the core level for these devices was $ 250,000.
In which components of the problem has not yet been reported, in accordance with the conditions of the competition, detailed information about all demonstrated 0-day vulnerabilities will be published only after 120 days, which are given to preparation by manufacturers of updates with the elimination of vulnerabilities.