Pwn2Own is a hacking contest held during the CanSecWest security conference every year in Vancouver. The event is designed to allow hackers to bring system vulnerabilities to light in widely used software and mobile devices. There are hefty cash prizes for finding holes in common programs, and vendors leave with an idea of how to fix these security gaps. In all, it's an event sponsored by Trend Micro and Hewlett Packard Enterprise that leads to benefits for both vendors and consumers.
This year's CanSecWest conference took place March 16 to 18 at the Sheraton Wall Centre in Vancouver. Attendees could sit in on classes and listen to industry professionals speak on various topics. For instance, cyber security expert Joe FitzPatrick taught a class called "Applied Physical Attacks on x86 Systems." Basically, the point of these classes and panels is to educate professionals about certain vulnerabilities within the systems they use on a daily basis so that they can apply this knowledge to security patches down the line.
The hacking contest portion of the conference was successful at bringing some vulnerabilities to light. The 2016 conference welcomed five hacking teams that made 11 attempts over the course of two days. On the first day, according to Trend Micro's Christopher Budd, a total of $282,500 in prizes was distributed to the teams.
South Korean hacker JungHoon Lee, acting by himself instead of as part of a team, won $60,000 on the first day alone for exploiting vulnerabilities in the Apple Safari browser, among others. Lee's alias during this event was lokihardt, and he has competed in previous years. At the end of the second day, the team that won the most points and thus came away with the coveted title of Master of Pwn was Tencent Security Team Sniper, with Lee coming in second place. In total, three Safari bugs were exploited, two in Microsoft Edge and four in Adobe Flash Player.
In 2015, the story was much the same, with one familiar hacker dominating the event. According to ZDNet, Lee ruled the day, eventually taking home $225,000 in prize money for finding the most bugs in the allowed systems. He even found one bug in Google Chrome, which is notoriously difficult to hack.
"With all of this, lokihardt managed to get the single biggest payout of the competition, not to mention the single biggest payout in Pwn2Own history: $75,000 USD for the Chrome bug, an extra $25,000 for the privilege escalation to SYSTEM and another $10,000 from Google for hitting the beta version for a grand total of $110,000," Pwn2Own organizers from HPE wrote in a blog post. "To put it another way, lokihardt earned roughly $916 a second for his two-minute demonstration."
All told, Pwn2Own found five bugs in the Windows operating system, four in Internet Explorer 11, three in Mozilla Firefox and three bugs in Adobe Reader, among others.
What's the point?
What are the goals of the Pwn2Own hacking contest? There are a few things that security firms set out to accomplish when they attend. According to TechTarget, once a device has been hacked at this event, sponsors will send the information to the vendor so that the company can strengthen its program's or device's security based on the data provided.
Therefore, as vendors learn more about the vulnerabilities in their software and devices, they can strengthen their cyber security, which in turn bolsters that of their customers. How can consumers and businesses alike steer clear of these bugs in the programs they use on a daily basis? Implementing effective cyber security solutions could be the answer to this issue. By investing in these kinds of tools, they can protect their systems and make sure their data is safeguarded against malicious actors.