Pwn2Own Vancouver 2024 Hands Out More Than $1 Million in Prizes for Wide-Ranging Vulnerabilities

Operating systems, web browsers, virtualization software, and even the Tesla ECU fall victim to zero-day attacks at the latest Pwn2Own.

Gareth Halfacree
30 days agoSecurity

The Pwn2Own Vancouver 2024 contest, which sees participants rewarded with cash prizes and whatever devices they successfully exploit, has drawn to a close with more than a million dollars handed out for the discovery of vulnerabilities in web browsers, Microsoft Windows 11, Canonical's Ubuntu Linux, and a Tesla Model 3.

The Zero Day Initiative's Pwn2Own contest is an unusual twist on capture-the-flag: participants promise to exploit security vulnerabilities in popular software and hardware products live on-stage in timed challenges. If a team's exploitation is successful, its members win cash alongside the physical item they attacked — from laptops and smartphones all the way up to cars.

The two-day Pwn2Own Vancouver 2024 came to a close this week, with a range of vulnerabilities demonstrated. All common web browsers — Mozilla Firefox, Apple Safari, Google Chrome, and Microsoft Edge — fell to attack, as did Microsoft's Windows 11 and Canonical's Ubuntu Linux operating systems. Adobe's PDF-viewing Reader application proved vulnerable, as did VMware Workstation and Oracle VirtualBox.

This latest Pwn2Own contest comes on the heels of a dedicated automotive contest, announced back in September last year and that took place in January with over $1 million in prizes handed out for hacks, which included takeovers of in-car entertainment systems, electric charging points, and the modem inside Tesla cars — with team Synacktiv walking away with the car for their efforts.

Synacktiv was back again for this latest competition, too, and once again demonstrated a flaw in Tesla vehicle security — using an integer overflow vulnerability to exploit the Tesla Engine Control Unit (ECU)'s CAN bus subsystem, winning the team an impressive $200,000 and their second Tesla Model 3.

In total, the contest saw 29 unique zero-day vulnerabilities — and a handful of previously-known vulnerabilities — resulting in prize payouts totalling $1,132,500. The overall winner, dubbed the Master of Pwn, was Manfred Paul, for his demonstration of a remote code execution (RCE) vulnerability in Apple's Safari browser, improper validation of inputs in Google Chrome and Microsoft Edge, and a two-prong RCE and sandbox escape vulnerability in Mozilla Firefox.

The full results are available on the Zero Day Initiative blog; technical details of all vulnerabilities are not publicly disclosed, as per the competition's rules.

Main article image courtesy of Seunghyun Lee/Zero Day Initiative.

Gareth Halfacree
Freelance journalist, technical author, hacker, tinkerer, erstwhile sysadmin. For hire:
Latest articles
Sponsored articles
Related articles
Latest articles
Read more
Related articles