Pwn2Own Toronto 2022

I had the honor of being a guest at Pwn2Own 2022 hosted by Trend Micro in Toronto.

The event consisted of teams of security researchers or a single researcher demonstrating active exploitation of zero days discovered in consumer devices. Devices that were exploited were printers, routers, mobile phones, and more. Whitepapers containing details of the vulnerability and exploit are published after zero days are reported to vendors and a patch is released.

The schedule for the event can be found here.

Results of the event day 1 can be found here.

Results of the event day 2 can be found here.

One of the more interesting zero day was the exploitation of the Samsung S22. The researcher was able to gain access to the device under 5 minutes with an improper input validation attack. This is evidence that even with all the work that go into development of a piece of software, there will always be bugs.

Another interesting zero day that was exploited was in the TP-Link AX1800 router WAN interface. Attack types were authentication bypass and command injection. The implications of this zero day would mean that should it be leaked, all internet connected routers of this model would be vulnerable and possibly exploited putting a home network at risk. I would expect this exploit would fetch a hefty price on the dark web.

Another research team attempted to compromise a SOHO mashup. That is, a router connected to a printer. Their attack path would be to compromise the router WAN first then compromise the printer. Unfortunately, they failed and the exploit did not work.

The role that Trend Micro plays in this event is interesting as well. They provide the opportunity for security researchers to be compensated for their work. That compensation also acts as motivation. But aside from monetary gain, Trend Micro is now in a unique position. By acting as a ‘disclosure intermediary’ between researcher and vendor, they develop ‘digital vaccines’, as they refer to it as, to act as a band-aids for the zero day while the vendor develops and publishes a patch. This provides value not only to Trend Micro as a business but to the wider security community. They exercise responsible disclosure and help organisations defend against zero days.

Key take away from this event: