The largest hacking competition – the spring Pwn2Own 2021 – has ended. This time it all ended in a three-way draw between Team Devcore and OV, as well as the duo of cybersecurity experts Daan Keuper and Thijs Alkemade from Computest. All three teams finished the competition with 20 points each.
In total, over three days, Pwn2Own members earned $ 1,210,000. Detailed results can be found on the Trend Micro Zero Day Initiative (ZDI) blog.
Under normal circumstances, the event is held as part of the CanSecWest conference in Canada, but due to the coronavirus pandemic this year, Pwn2Own was held online again, like the spring and fall Pwn2Own last year. To this end, the organizers published a list of suitable targets back in January , and several teams applied for participation, a total of 23 hacks planned for ten different products from the list. The teams had 15 minutes to launch the exploit and execute remote code inside the target application. For each exploit that worked, participants received a cash prize from the sponsors of the competition and points for the tournament table.
Spring Pwn2Own 2021, as usual, lasted three days, and you can see the streams below. As a result of the competition, Windows 10, Ubuntu, Safari, Chrome, Zoom, Microsoft Exchange, Microsoft Teams and Parallels Desktop were successfully compromised. Interestingly, none of this year’s entrants attempted to hack into the Tesla Model 3 car provided in the competition. The last time a car was hacked was in 2019.
The most impressive and dangerous compromise of this year by cybersecurity experts unambiguously recognized the Zoom hack, which does not require user interaction, demonstrated by Daan Köper and Tiis Alkemade of Computest. This exploit earned the experts $ 200,000.
The exploit is known to combine three vulnerabilities at once and works on the latest versions of Windows 10 and Zoom. In the researchers’ demo, the victim simply received an invitation to a meeting from the attacker and didn’t even need to click anywhere: the malicious code was executed automatically. Since the vulnerabilities have not yet been patched, the technical details of the attack are still kept secret, but below you can see what it looked like.
The attack works against Windows and Mac versions of Zoom, but has not yet been tested on iOS or Android. Zoom developers have already told the media that they are working to fix the problem and thanked the experts for their work.
“We take security very seriously and appreciate Computest’s research. We are working to resolve this issue in Zoom Chat, our group messaging product. This issue does not affect in-session chat in Zoom Meetings and Zoom Video Webinars. In addition, the attack must come from an accepted external contact or be part of the account of the same organization. Zoom recommends that users only accept requests to add to contacts from people they know and trust, ”the developers say.