January 28, 2023
On the second day of the Zero Day Initiative’s Pwn2Own Toronto 2022 hacking competition, participants earned a total of more than $280,000 for smart speaker, smartphone, printer, router, and NAS exploits. A significant chunk of the total amount was earned for smart speaker hacks, specifically vulnerabilities targeting Sonos One smart speakers. A team from ​​Qrious…

On the second day of the Zero Day Initiative’s Pwn2Own Toronto 2022 hacking competition, participants earned a total of more than $280,000 for smart speaker, smartphone, printer, router, and NAS exploits.

A significant chunk of the total amount was earned for smart speaker hacks, specifically vulnerabilities targeting Sonos One smart speakers.

A team from ​​Qrious Secure earned $60,000 for hacking a Sonos One speaker, while the Star Labs team earned $22,500 for an exploit that involved one new and one previously known flaw.

The Bugscale team was awarded $37,500 for a SOHO Smashup exploit that targeted a Synology router and an HP printer. The attempt involved the use of new and previously known bugs.

In the new Pwn2Own category called SOHO Smashup, a small office / home office (SOHO) scenario is simulated, with the goal being to hack a router on the WAN interface and then pivoting to the LAN, where a second device is hacked, such as a NAS appliance, a smart speaker, or a printer.

[ Read: Pwn2Own Toronto 2022, Day 1: Hackers Earn $400,000 for Exploits ]

Another significant reward was earned by researcher Luca Moro, who was awarded $40,000 for a WD My Cloud Pro hack in the NAS category. Interrupt Labs earned $25,000 for hacking a Samsung Galaxy S22 phone.

The list of devices hacked on the second day of Pwn2Own, for which participants earned between $1,250 and $10,000, includes HP, Lexmark and Canon printers, and Netgear, Synology and TP-Link routers.

ZDI announced that a total of $681,000 was paid out in the first two days for 43 new and unique vulnerabilities.

Pwn2Own Toronto 2022 spans four days, with 26 contestants signing up for 66 exploits. ZDI said the number is unprecedented, and it has decided to only award the full cash prize to the first winner of each target, with subsequent exploits getting 50% of the prize money.

Related: Netgear Neutralizes Pwn2Own Exploits With Last-Minute Nighthawk Router Patches

Related: Over $1.1 Million Awarded at Pwn2Own Vancouver 2022 for 25 Zero-Day Vulnerabilities

Related: Microsoft Teams Exploits Earn Hackers $450,000 at Pwn2Own 2022

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.Previous Columns by Eduard Kovacs:Tags:
Source