The 2022 edition of the famous (or infamous, depending on your viewpoint) Pwn2Own competition kicks off later today in Vancouver, British Columbia.
(Actually, it’s a so-called “hybrid” event this year, so that entrants who can’t or don’t want to travel, whether for coronavirus or environmental reasons, can participate remotely.)
Numerous vendors have put forward monetary prizes for hacking various of their products, with this year’s potential targets being:
- Virtualisation: Oracle VirtualBox, VMware Workstation, VMware ESXi, Microsoft Hyper-V Client.
- Browsers: Google Chrome, Microsoft Edge, Apple Safari, Mozilla Firefox.
- Enterprise Apps: Adobe Reader, Office 365 ProPlus.
- Servers: Microsoft RDP/RDS, Exchange, SharePoint, Samba.
- Endpoint OSes: Ubuntu Desktop, Windows 11. (Elevation of Privilege only)
- Enterprise Communications: Zoom, Microsoft Teams.
- Automotive: a range of categories based on Tesla 3 vehicles.
Intriguingly, the Servers and Enterprise Apps categories attracted exactly zero hackers each this year.
Browsers and Virtualisation were considered similarly unintersting, it seems, with just one entrant each taking on Firefox and Safari, and a solitary hacker having a go at VirtualBox.
Windows 11 and Ubuntu Linux attracted seven and five entries repesectively; four contestants will take a pop at Teams; and two will have a go at various aspects of the Tesla 3.
A hacking lottery
The rules of Pwn2Own are somewhat strange, given that some entrants may end up not actually competing at all.
The Tesla hackers (two different categories), plus the browser and virtualisation entrants, will all definitely get a turn, because they’re the only competitors in their categories.
Either they’ll succeed in their designated half-hour slot, and claim their prizes, or they’ll fail and go home empty handed.
Everyone else’s participation depends on what’s already happened.
Pwn2Own isn’t like, say, a time-trial sporting event (think downhill skiiing), where even if the first entrant beats the current world record and seems to have set an invincible time, they still have to wait until the very last competitor finishes to find out if their early time was good enough.
In Pwn2Own, in contrast, the first entrant to complete the course wins the prize and closes the category for everyone else – if it were downhill skiing, the first skiier wouldn’t have to break a record to win right away, they’d just need to get to the bottom without falling over or exceeding a pre-specified time limit.
Speed is not entirely unimportant in Pwn2Own. You have a maximum of three attempts to show that your hack actually works, each lasting a maximum of five minutes, and you’ve got 30 minutes in total to complete your three tries. In other words, you need to come fully prepared, with your research properly written up. Pwn2Own is very definitely not a movie-style “hack-it-live-and-see-what-happens” event. You don’t just need to break in, you need to know the intimate details of how and why your attack works, so that it can reliably be fixed. Ironically, the most dramatic entries aren’t those where the competitor finally and frenziedly hacks the system with seconds to spare, which is how it might typically happen in Hollwood. The hacks that get the biggest gasps typically involve spectacularly well-prepared entrants simply walking up to the system, launching their scrupulously well-researched attack with a single click or command, and succeeding right away, with no apparent drama at all.
The downside of popularity
The lottery that determines the order of competition makes a big difference to the competitors.
The seventh entrant drawn in the Windows 11 category, for example, can’t win simply by being the best, or the fastest, or by some other superlative achievement – they can only win if all the previous six entrants fail completely, and then their hack works.
Anyway, watch this space for the results, which will all be known by 14:00 Vancouver time (currently UTC-7) at the latest on Friday 2022-05-20.
The last day could, in fact, be a total washout, because only Teams, Windows and Linux are scheduled for hacking on Friday, and all those prizes may aleady be done and dusted by the end of today!
The order of hacks in Pwn2Own 2022 are as follows:
- Later today: Teams, VBox, Teams, Firefox, Windows, Linux, Teams, Safari, Linux, Windows
- Tomorrow: Tesla (infotainment), Windows, Linux, Tesla (diagnostics), Windows, Linux
- Friday: Teams, Windows, Linux, Windows, Windows
What do you think?
As for this “winner takes it all and everyone else takes their exploits home” approach, what do you think?
Do hacking spectaculars of this sort improve the state of cybersecurity by promoting the discipline needed for complete and well-documented research, so that underlying problems are properly exposed, not merely papered over with patches?
Or do they work against cybersecurity in real life by potentially delaying the early disclosure of partial results that could have been fixed months earlier if only they hadn’t been kept back for competitive purposes?
Have your say in the comments below…