The 2022 edition of the popular (or infamous, depending on your point of view) Pwn2Own competition kicks off later today in Vancouver, British Columbia.
(In fact, this year the event is called a “hybrid,” so that expats who can’t or don’t want to travel, whether due to the coronavirus or environmental reasons, can participate remotely.)
Several vendors have offered cash prizes for hacking several of their products, with potential goals for this year being:
- default: Oracle VirtualBox, VMware Workstation, VMware ESXi, and Microsoft Hyper-V Client.
- Browsers: Google Chrome, Microsoft Edge, Apple Safari, Mozilla Firefox.
- Enterprise applications: Adobe Reader and Office 365 ProPlus.
- Servers: Microsoft RDP / RDS, Exchange, SharePoint, Samba.
- Endpoint operating systems: Ubuntu desktop and Windows 11. (Elevate privilege only)
- Enterprise contacts: Zoom in, Microsoft Teams.
- the cars: A set of classes based on Tesla 3 cars.
It is interesting that servers And Enterprise applications Exactly attracted categories zero Hackers all this year.
Browsers And default It was considered similarly uninteresting, apparently, with just One Participate in both Firefox and Safari, and a solo hacker experimenting with VirtualBox.
Attract Windows 11 and Ubuntu Linux Seven And five Entries frequently. four Contestants will take on Pop in Teams; And two You will enjoy different aspects of Tesla 3.
The rules of Pwn2Own are kind of weird, since some participants may end up not competing at all.
Tesla hackers (two different categories), as well as browsers and virtualization subscribers, will certainly get a role, since they are the only competitors in their categories.
Either they will make it into their half hour slot, and claim their prize, or they will fail and go home empty-handed.
Anyone else’s participation depends on what actually happened.
Pwn2Own is not, for example, a time trial sporting event (think downhill skiing), where even if the first entrant beats the current world record and appears to have set an indomitable time, they still have to wait until the last competitor finishes to see what If their early time is good enough.
In Pwn2Own, by contrast, the first participant to complete the course wins the prize and closes the category to everyone else – if it’s downhill skiing, the first skater doesn’t have to break the record to win right away, they need to get to the bottom without falling or exceeding the set time limit pre.
Speed is not completely unimportant in Pwn2Own. You have a maximum of three attempts to show that your hack is actually working, each of which takes a maximum of five minutes, and you have 30 minutes in total to complete your three attempts. In other words, you must be fully prepared and have your research written correctly. Pwn2Own is certainly not a “hack-it-live-and-see-what-happening”-style event. Not only do you need to break in, you need to know the fine details of how and why your attack works, so that it can be reliably fixed. Ironically, the most exciting entries aren’t the ones where the competitor finally and insanely hacks the system with seconds to spare, which would usually happen in Holwood. The hacks that get the biggest shots usually involve amazingly well-prepared participants who simply advance into the system, unleash their well-thought-out attack with a single click or command, and succeed instantly, with absolutely no apparent drama.
The downside of popularity
The lottery that determines the order of the competition makes a big difference to the competitors.
For example, the seventh participant selected in the Windows 11 category cannot win simply by being the best, the fastest, or some other outstanding achievement – they can only win if all the previous six participants fail completely, after which the hack works.
Anyway, watch this space for the results, all of which will be known by 14:00 Vancouver Time (currently UTC-7) at the latest on Friday 05-20-2022.
The last day could, in fact, be a complete failure, because Teams, Windows, and Linux are only slated to be hacked on Friday, and all those awards may be finished and dusted off by the end of the day!
The order of hacks in Pwn2Own 2022 is as follows:
- later today: Teams, VBox, Teams, Firefox, Windows, Linux, Teams, Safari, Linux, Windows
- tomorrow: Tesla (Information and Entertainment), Windows, Linux, Tesla (Diagnostics), Windows, Linux
- Friday: Teams, Windows, Linux, Windows, Windows
What do you think?
Regarding the “winner takes everything and everyone else takes their exploits home” approach, what do you think?
Do hacks of this nature improve the state of cybersecurity by strengthening the discipline needed to conduct full and well-documented research, so that core issues are properly exposed, and not just covered with patches?
Or does it work against real-life cybersecurity by delaying early detection of partial results that could have been fixed months ago if not kept for competitive purposes?
Say what you want in the comments below…