The 2022 edition of the famous (or infamous, depending on your viewpoint) Pwn2Own competition kicks off later today in Vancouver, British Columbia.
(Actually, it’s a so-called “hybrid” event this year, so that entrants who can’t or don’t want to travel, whether for coronavirus or environmental reasons, can participate remotely.)
Numerous vendors have put forward monetary prizes for hacking various of their products, with this year’s potential targets being:
- Virtualisation: Oracle VirtualBox, VMware Workstation, VMware ESXi, Microsoft Hyper-V Client.
- Browsers: Google Chrome, Microsoft Edge, Apple Safari, Mozilla Firefox.
- Enterprise Apps: Adobe Reader, Office 365 ProPlus.
- Servers: Microsoft RDP/RDS, Exchange, SharePoint, Samba.
- Endpoint OSes: Ubuntu Desktop, Windows 11. (Elevation of Privilege only)
- Enterprise Communications: Zoom, Microsoft Teams.
- Automotive: a range of categories based on Tesla 3 vehicles.
Intriguingly, the Servers and Enterprise Apps categories attracted exactly zero hackers each this year.
Browsers and Virtualisation were considered similarly unintersting, it seems, with just one entrant each taking on Firefox and Safari, and a solitary hacker having a go at VirtualBox.
Windows 11 and Ubuntu Linux attracted seven and five entries repesectively; four contestants will take a pop at Teams; and two will have a go at various aspects of the Tesla 3.
A hacking lottery
The rules of Pwn2Own are somewhat strange, given that some entrants may end up not actually competing at all.
The Tesla hackers (two different categories), plus the browser and virtualisation entrants, will all definitely get a turn, because they’re the only competitors in their categories.
Either they’ll succeed in their designated half-hour slot, and claim their prizes, or they’ll fail and go home empty handed.
Everyone else’s participation depends on what’s already happened.
Pwn2Own isn’t like, say, a time-trial sporting event (think downhill skiiing), where even if the first entrant beats the current world record and seems to have set an invincible time, they still have to wait until the very last competitor finishes to find out if their early time was good enough.
In Pwn2Own, in contrast, the first entrant to complete the course wins the prize and closes the category for everyone else – if it were downhill skiing, the first skiier wouldn’t have to break a record to win right away, they’d just need to get to the bottom without falling over or exceeding a pre-specified time limit.
Speed is not entirely unimportant in Pwn2Own. You have a maximum of three attempts to show that your hack actually works, each lasting a maximum of five minutes, and you’ve got 30 minutes in total to complete your three tries. In other words, you need to come fully prepared, with your research properly written up. Pwn2Own is very definitely not a movie-style “hack-it-live-and-see-what-happens” event. You don’t just need to break in, you need to know the intimate details of how and why your attack works, so that it can reliably be fixed. Ironically, the most dramatic entries aren’t those where the competitor finally and frenziedly hacks the system with seconds to spare, which is how it might typically happen in Hollwood. The hacks that get the biggest gasps typically involve spectacularly well-prepared entrants simply walking up to the system, launching their scrupulously well-researched attack with a single click or command, and succeeding right away, with no apparent drama at all.
The downside of popularity
The lottery that determines the order of competition makes a big difference to the competitors.
The seventh entrant drawn in the Windows 11 category, for example, can’t win simply by being the best, or the fastest, or by some other superlative achievement – they can only win if all the previous six entrants fail completely, and then their hack works.
Anyway, watch this space for the results, which will all be known by 14:00 Vancouver time (currently UTC-7) at the latest on Friday 2022-05-20.
The last day could, in fact, be a total washout, because only Teams, Windows and Linux are scheduled for hacking on Friday, and all those prizes may aleady be done and dusted by the end of today!
The order of hacks in Pwn2Own 2022 are as follows:
- Later today: Teams, VBox, Teams, Firefox, Windows, Linux, Teams, Safari, Linux, Windows
- Tomorrow: Tesla (infotainment), Windows, Linux, Tesla (diagnostics), Windows, Linux
- Friday: Teams, Windows, Linux, Windows, Windows
What do you think?
As for this “winner takes it all and everyone else takes their exploits home” approach, what do you think?
Do hacking spectaculars of this sort improve the state of cybersecurity by promoting the discipline needed for complete and well-documented research, so that underlying problems are properly exposed, not merely papered over with patches?
Or do they work against cybersecurity in real life by potentially delaying the early disclosure of partial results that could have been fixed months earlier if only they hadn’t been kept back for competitive purposes?
Have your say in the comments below…
Jesse Morton
We ought to love our neighbor as ourself, as the Scripture teaches, and we should do nothing for selfish or dishonest gain, again, as the Scripture says. How does this apply? If we know of a hack that could be used to harm people, then we have a responsibility, for the sake of our neighbors, to disclose this as son as possible and our motive should be out of love, not seeking to be rewarded.
Paul Ducklin
I hear you, but the other side of the coin is that finding the sort of hacks that win Pwn2Own prizes is a difficult and time-consuming job and deserves to be a way to earn a living. And in a free market economy such as in countries such as Canada, competition is not merely encouraged but actually a regulatory necessity.
In an ideal world, each software company would find and fix its own bugs…
…but even in companies with huge research budgets and existing cyberhacking/bughunting teams (e.g. Google’s Project Zero), there’s enormous benefit in having other people take a long, hard, detailed, deep, objective look at your code “as an outsider”. (Also, freelancing, for all that it is open to exploitation by unscrupulous employers, can be considered an economic right and an important part of a free market.)
Getting paid for top-quality work can’t really be considered “selfish”, and Pwn2Own prizes depend on the finder responsibly and fully disclosing how they found it, so it can hardly be considered “dishonest gain”. And in this case’ we’re talking about willing buyers and willing sellers…
You can argue that this winner-takes-all approach tends to favour bug-hunters holding onto known exploits far longer than they otherwise might, in the hope of finally scooping The Big Prize, but you can also argue that without this sort of incentive, few really good bug-hunters would ever be motivated to study software/OS/firmware/hardware ecosystems in any depth.
The days of the independently wealthy operator who can afford to be an amateur at the top level of their field [a] are over and [b] were never fair anyway, because they relegated even the most talented working-class practioners to be eternal lackeys. (The history of both rugby football and cricket – both of which are now big-money, international sports played in dozens of countries – are a good example of what I mean. In a monetary economy, you can hardly expect people to do everything for free.)
Ipsum Lorem
We should also sit under our own vine and under our own fig tree, and no one should make us afraid…
…But scripture rarely solves the complexities of modernity.
For example… If someone hacks your system, should you turn the other cheek? Or is it better to close port 23 and make certain they can never do it again (okay, okay, make sure they have to work -harder- to do it again)?
Pwn2Own is a sporting competition; one that indeed ends in companies patching and safeguarding their products. I don’t think scripture is quite the same point of reference you think it is, here…
Paul Ducklin
I’m not convinced that Christian scripture (though of course I am not a theologian) or a formal Christian interpretation of Pwn2Own would have any moral problems with the rules.
Some of the amounts of money on offer may sound rather high, and might feel excessive to some people, regardless of their religious affiliations, but you need to remember that it’s not a question of a competitor “earning $100,000 in 30 minutes” by just showing up, mucking around for a bit and hitting the jackpot.
For example, Firefox got pwned on the first day of the contest by Manfred Paul. The “hack” took 7 seconds of his alloted 30 minutes, but in truth he was simply proving that his research was valid and that his claims were true. He jolly well knew it would work because he’d already put in the hard yards of researching, testing, and documenting his approach. (PS. I just saw he pwned Safari as well!)
My guess is that his overall “hourly rate” for the work that went into winning these prizes will be above the median average wage, but I will also guess that if he were to try to count the exact number of hours he needed for the task, he’d greatly underestimate, because of all the time he’s put in in the past to learn enough to be able to put in the time now to create the exploits he demonstrated today.
(As for “a sporting competition”, if you think what big-time sports players earn these days, the Pwn2Own prizes are pretty modest. I enjoy watching top cricketers hit the ball into the upper tier of the stands as much as the next person, and I know they get paid big money because doing that sort of stuff IS REALLY HARD. Yet no one has ever hit an amazing six or taken an incredible catch that made me safer against cybercrime. And then stop to think how much some of the senior execs earn in some of the companies that benefit from the exploits they learn about through Pwn2Own.)
Anonymous
A bit of both! In-house fuzzing can find lots of likely bugs so they can be fixed as soon as they’re noticed, even if they weren’t exploitable. Find them and move on.
But that is not enough on it’s own. Sometimes people need to start with one vuln and chase it for months to make a real exploit chain to help us learn how to write better code in future.
Alex
Cyber security is al about securing the WorldWide infra, this event is about fun and prices. I think this approach will lead to frustration by what could have been successful hacks which are not presented. Not okey with me, everyone should get their chance to prove him/herself.
Paul Ducklin
Anyone who doesn’t get to show their exploit can still submit it for a bug bounty to the vendor concerned. (I suspect that if they were minded to sell it to criminals instead of disclosing it responsibly they would have done so and not shown up at the contest.)
All bug bounties have a slightly competitive edge – if you find the same exploit as someone else but you submit it 5 minutes after them, you get nothing because it’s a “known bug” once the other person reports it.
You can also argue that having one payoff per product tends to encourage a wider spread of targets instead of having everyone focus on the popular Target du Jour.
Paul Ducklin
Actually, although the contest rules imply otherwise (I assume this is at the vendor’s discretion), it seems that three different Teams exploits were tried; all succeeded; and all will be paid for by Microsoft. ($450,000 in bounties in total, i.e. 3 × 150k)