Networking Devices Are “Bleeding” at the Virtual ‘Pwn2Own’ Tokyo 2020

• Hacking teams are giving it all they got to hack into networking products by TP-Link, Netgear, Synology, and WD.
• The first two days of the event have been successful, with the discovery and exploitation of numerous zero-day flaws.
• The third day will decide the winner of this virtual event, and you can watch the hacks live on Twitch.

COVID-19 has compelled Pwn2Own organizers (Trend Micro) to postpone the event that was to take place in Tokyo this year, so it’s gone virtual and coordinated by the Zero Day Initiative from Toronto, Canada. Two of the three days of the white-hacking competition are already behind us, with routers and NAS storage products being exploited via multiple newly discovered vulnerabilities.

Here are the detailed results of the event thus far:

• ‘STARLabs’ successfully combined two code execution flaws on the LAN interface of the NETGEAR Nighthawk R7800 router. Payout: $5,000
• ‘STARLabs’ used an authentication bypass bug together with a command injection flaw to gain root access to the NETGEAR Nighthawk R7800 router. Payout: $20,000
• ‘Flashback’ team used two separate vulnerabilities to gain code execution rights through the WAN interface of the NETGEAR Nighthawk R7800 router. Payout: $20,000
• ‘Trapa Security’ used a command injection bug and took complete control of the NETGEAR Nighthawk R7800 router. Payout: $5,000
• ‘Flashback’ used three different bugs to gain code execution rights through the WAN interface of the TP-Link AC1750 Smart WiFi router. Payout: $20,000
• ‘Syacktiv’ team gained code execution rights via the LAN interface of the TP-Link AC1750 Smart WiFi router, using three unique bugs. Payout: $5,000
• ‘DEVCORE’ used a heap overflow vulnerability to get arbitrary code execution on the Synology DiskStation DS418Play NAS. Payout: $20,000

Related: Hackers Are Massively Hijacking SIP Servers for Profit

Today, the hacking teams will attempt to hack into the Western Digital My Cloud Pro Series PR4100, NETGEAR Nighthawk R7800 router, Western Digital My Cloud Pro Series PR4100, Sony X800 television, and the Synology DiskStation DS418Play NAS. If you want to watch the attempts live, there’s a Twitch stream and a live stream on YouTube.

Remember, Pwn2Own is a hacking contest meant to help promote security and provide a checkpoint on the vendors' progress. In many cases, Pwn2Own is used as a platform to compare the security of different products of the same category, like web browsers or smartphones. The winners get to win the device they exploited along with a cash prize, and vendors get to have the discovery and the opportunity to fix zero-day bugs.