zero day initiative – Page 2

Zero Day Initiative Bug Hunters Rake in $1.5M in 2019

Posted on January 31, 2020 by Tara Seals

Microsoft OS flaws, out-of-bounds reads, ICS gear and a record number of high-severity bugs marked 2019 for the ZDI program. Continue reading Zero Day Initiative Bug Hunters Rake in $1.5M in 2019→

Pwn2Own hacking competition expands to industrial control systems

Posted on October 28, 2019 by Sean Lyngaas

For years, Pwn2Own, a competition that rewards researchers for finding previously unknown software flaws, has focused on code used in enterprise IT networks rather than programs that supports critical infrastructure operations. That is all going to change in January, when the contest heads to Miami and exposes white-hat hackers to popular software and protocols used in industrial control systems (ICS). Contestants will have a matter of minutes to demonstrate zero-day exploits that they’ve developed beforehand. Cash prizes worth $250,000 will be available to winners, Zero Day Initiative (ZDI), the organization that runs Pwn2Own, said Monday. For an ICS industry accustomed to non-disclosure agreements related to security testing, the Pwn2Own free-for-all format is a “radical concept,” said Dale Peterson, the founder of the annual S4 security conference, which will host the Pwn2Own competition. The vulnerabilities that Pwn2Own participants discover are revealed to the vendor responsibly so they can be fixed. “That’s saying, ‘We have some confidence in our equipment. […]

The post Pwn2Own hacking competition expands to industrial control systems appeared first on CyberScoop.

Continue reading Pwn2Own hacking competition expands to industrial control systems→

Tesla Model 3’s onboard browser attacked successfully at Pwn2Own

Posted on March 25, 2019 by Joe Warminsky

A prolific duo of white-hat hackers exploited a previously unknown flaw in the web browser for the Tesla Model 3’s infotainment system on the third and final day of the Pwn2Own competition in Vancouver, demonstrating the first automotive zero-day in the event’s history. Team “Flouroacetate” — aka Amat Cama and Richard Zhu — used the Tesla hack on Friday to cap off a dominant run in the competition, which takes place annually during the CanSecWest security conference. Cama and Zhu successfully demonstrated zero-day exploits on popular web browsers and widely used virtualization software during the first two days. The Zero Day Initiative (ZDI), the organization that runs Pwn2Own, didn’t release many details about the Tesla hack. Given the sensitivity of any flaws in automotive software, it’s hardly surprising. But the value of Cama and Zhu’s research to Tesla is clear: Not only did they win cash for their demonstration, they […]

The post Tesla Model 3’s onboard browser attacked successfully at Pwn2Own appeared first on CyberScoop.

Continue reading Tesla Model 3’s onboard browser attacked successfully at Pwn2Own→

Apple, Oracle, VMware products successfully hacked at Pwn2Own

Posted on March 21, 2019 by Joe Warminsky

The white-hat hacking team of Amat Cama and Richard Zhu, together known as “Flouroacetate,” took home the majority of the prize money available on the first day of this year’s Pwn2Own competition in Vancouver, demonstrating zero-day exploits against Apple’s Safari browser as well as virtualization software from Oracle and VMware. Other winners on Wednesday included “anhdaden,” also known as Phạm Hồng Phi of Singapore-based cybersecurity company STAR Labs, who targeted the Oracle software; and the phoenhex & qwerty team — Bruno Keith, Niklas Baumstark and Luca Todesco — which targeted Safari. Flouracetate won $160,000 total, while anhdaden earned $35,000 and phoenhex & qwerty claimed $45,000 in prize money. Confirmed! @fluoroacetate leveraged a race condition leading to an out-of-bounds write to escalate from a #VMware client to execute code on the host OS. The effort brings them another $70,000 and 7 more Master of Pwn points. Their Day 1 total is $160,000 […]

The post Apple, Oracle, VMware products successfully hacked at Pwn2Own appeared first on CyberScoop.

Continue reading Apple, Oracle, VMware products successfully hacked at Pwn2Own→

Tesla’s Model 3 is a big target at the next Pwn2Own

Posted on January 14, 2019 by Zaid Shoorbajee

The hacking competition Pwn2Own is adding an automotive category to its March event in Vancouver, and participants will be able to take a crack at one of Tesla’s top models. The additional category is the result of a new partnership with Tesla, according to Japanese cybersecurity company Trend Micro, which runs Pwn2Own via the Zero Day Initiative (ZDI). The contest features live demonstrations of previously unknown security exploits, with hackers winning cash prizes for successfully showing off new zero days. Contestants in the automotive competition will focus on the Tesla Model 3, one of the best-selling luxury cars in the past year, Trend Micro said. In addition to cash prizes, one of the cars is also up for grabs for the “first successful researcher,” ZDI said. “Since 2007, Pwn2Own has become an industry-leading contest that encourages new areas of vulnerability research on today’s most critical platforms,” said Brian Gorenc, Trend Micro senior director of vulnerability research, in […]

The post Tesla’s Model 3 is a big target at the next Pwn2Own appeared first on CyberScoop.

Continue reading Tesla’s Model 3 is a big target at the next Pwn2Own→

Researchers earn thousands for exposing mobile device exploits at Pwn2Own

Posted on November 14, 2018 by Zaid Shoorbajee

Security researchers competing in the Pwn2Own competition in Tokyo this week earned a collective $325,000 for demonstrating new exploits on devices made by Samsung, Xiaomi, and Apple. Pwn2Own, a series of contests run by the Zero Day Initiative, brings security researchers to compete to expose the most vulnerabilities in popular software and devices. The competition in Tokyo on Tuesday and Wednesday focused on mobile devices. Researchers showed off an array of different methods in which the devices could be compromised, according to blogs posted by the Zero Day Initiative. Among their conquests, a duo of hackers known as Fluoroacetate used near-field communication to force the Xiaomi Mi6 phone to a custom website. They then executed code on a Samsung Galaxy S9 using a baseband vulnerability, and successfully exfiltrated a deleted picture from an iPhone X. A team of researchers from MWR Labs, division of F-Secure, used a string of different bugs to force the Xiaomi Mi6 and […]

The post Researchers earn thousands for exposing mobile device exploits at Pwn2Own appeared first on Cyberscoop.

Continue reading Researchers earn thousands for exposing mobile device exploits at Pwn2Own→

Safari, Microsoft Edge exploits earn hackers $135k at Pwn2Own

Posted on March 15, 2018 by Patrick Howell O'Neill

Zero-day exploits netted hackers $135,000 in total on Wednesday during the Pwn2Own contest in Vancouver, British Columbia. Exploits targeting Apple Safari and Microsoft Edge web browsers were the highlight of Pwn2Own’s first day, a zero-day vulnerability hacking contest organized by Trend Micro’s Zero Day Initiative. Some of the best hackers in the world attended this year for a chunk of $2 million in prizes. One of the biggest wins of the day belonged to Samuel Groß (saelo) who successfully targeted Apple Safari with a macOS kernel escalation of privilege. He capped off his $65,000 payday with a bit of showmanship by signing the touchbar on a MacBook Pro: Success! Samuel Groß (@5aelo) manages to pop calc and brings back his trademark touchbar finesse. Now off to the disclosure room for confirmation and vendor notification. pic.twitter.com/REQh1kHBjB — Zero Day Initiative (@thezdi) March 14, 2018 Richard Zhu, a veteran of Pwn2Own, competed twice on Wednesday. […]

The post Safari, Microsoft Edge exploits earn hackers $135k at Pwn2Own appeared first on Cyberscoop.

Continue reading Safari, Microsoft Edge exploits earn hackers $135k at Pwn2Own→

Category Archives: zero day initiative