Hackers Reveal 52 Zero-Day Vulnerabilities at Pwn2Own Ireland 2024

In a striking display of skill and innovation, hackers at the inaugural day of Pwn2Own Ireland 2024 uncovered an impressive total of 52 zero-day vulnerabilities across various devices, raking in an astounding $486,250 in cash prizes. This event, known for its high-stakes hacking challenges, kicked off with fierce competition among cybersecurity professionals eager to earn the coveted title of ‘Master of Pwn.’

Leading the charge was Viettel Cyber Security, who quickly established dominance in the competition by accumulating 13 points. The team, comprising skilled participants known by their handles phudq and namnp, executed a successful exploit against a Lorex 2K WiFi camera utilizing a stack-based buffer overflow vulnerability. Their efforts were not only rewarded with 3 points but also a generous payout of $30,000.

Sina Kheirkhah from Summoning Team emerged as a standout performer during this intense hacking event. Kheirkhah orchestrated a remarkable chain of nine vulnerabilities that began with a QNAP QHora-322 router and concluded with a successful compromise of the TrueNAS Mini X device. This impressive feat netted the team a whopping $100,000 and a total of 10 points towards the Master of Pwn title.

Following Kheirkhah’s triumph, Jack Dates from RET2 Systems showcased his prowess with a successful out-of-bounds (OOB) write exploit on the Sonos Era 300 smart speaker. This exploit allowed him comprehensive control over the device, landing him $60,000 and 6 points. The action didn’t stop there, as Viettel Cyber Security returned to the fray with a second successful exploit, cleverly combining four new bugs to transition from the QNAP QHora-322 router to the TrueNAS Mini X, resulting in an additional $50,000 reward and another 10 points.

Despite the excitement, day one was not without its challenges. The Summoning Team faced difficulties executing their exploits on the QNAP TS-464 and Synology BeeStation BST150-4T, ultimately running out of time. Similarly, Synacktiv encountered a bug collision during their attempt to exploit the Lorex 2K camera, which unfortunately resulted in a reduced payout of $11,250.

As the first day of Pwn2Own Ireland 2024 drew to a close, participants demonstrated their tactical skills and resilience, proving that the road to success in hacking is fraught with both triumphs and setbacks. With three more days of the competition remaining, participants are poised to continue their quest for exploiting security vulnerabilities in fully patched SOHO devices. These range from printers and NAS systems to WiFi cameras, routers, smart speakers, and even mobile phones, including the latest Samsung Galaxy S24, with a substantial portion of the $1 million prize pool at stake.

The event also highlights the pressing nature of cybersecurity threats, as evidenced by several recent zero-day vulnerabilities being exploited actively. For instance, reports have emerged regarding Lazarus hackers employing fake DeFi games to exploit a Google Chrome zero-day, and Fortinet warning of a new critical flaw in FortiManager being used for zero-day attacks. Furthermore, Google disclosed that 70% of the vulnerabilities exploited in 2023 were zero-days. This underlines the importance of ongoing vigilance and innovation in cyber defense practices.

The initial day of competitive hacking concluded with shouts of congratulations for the participants from industry peers. Acknowledgment was also given to the businesses and organizers supporting this event aimed at fostering safe discovery and rewarding bug bounties. As the competition progresses, the hope remains that all involved will walk away having gained invaluable experience and insights from this unique event.