Pwn2Own Vancouver 2024 Hands Out More Than $1 Million in Prizes for Wide-Ranging Vulnerabilities

The Pwn2Own Vancouver 2024 contest, which sees participants rewarded with cash prizes and whatever devices they successfully exploit, has drawn to a close with more than a million dollars handed out for the discovery of vulnerabilities in web browsers, Microsoft Windows 11, Canonical's Ubuntu Linux, and a Tesla Model 3.

The Zero Day Initiative's Pwn2Own contest is an unusual twist on capture-the-flag: participants promise to exploit security vulnerabilities in popular software and hardware products live on-stage in timed challenges. If a team's exploitation is successful, its members win cash alongside the physical item they attacked — from laptops and smartphones all the way up to cars.

The two-day Pwn2Own Vancouver 2024 came to a close this week, with a range of vulnerabilities demonstrated. All common web browsers — Mozilla Firefox, Apple Safari, Google Chrome, and Microsoft Edge — fell to attack, as did Microsoft's Windows 11 and Canonical's Ubuntu Linux operating systems. Adobe's PDF-viewing Reader application proved vulnerable, as did VMware Workstation and Oracle VirtualBox.

This latest Pwn2Own contest comes on the heels of a dedicated automotive contest, announced back in September last year and that took place in January with over $1 million in prizes handed out for hacks, which included takeovers of in-car entertainment systems, electric charging points, and the modem inside Tesla cars — with team Synacktiv walking away with the car for their efforts.

Synacktiv was back again for this latest competition, too, and once again demonstrated a flaw in Tesla vehicle security — using an integer overflow vulnerability to exploit the Tesla Engine Control Unit (ECU)'s CAN bus subsystem, winning the team an impressive $200,000 and their second Tesla Model 3.

In total, the contest saw 29 unique zero-day vulnerabilities — and a handful of previously-known vulnerabilities — resulting in prize payouts totalling $1,132,500. The overall winner, dubbed the Master of Pwn, was Manfred Paul, for his demonstration of a remote code execution (RCE) vulnerability in Apple's Safari browser, improper validation of inputs in Google Chrome and Microsoft Edge, and a two-prong RCE and sandbox escape vulnerability in Mozilla Firefox.

The full results are available on the Zero Day Initiative blog; technical details of all vulnerabilities are not publicly disclosed, as per the competition's rules.

Main article image courtesy of Seunghyun Lee/Zero Day Initiative.