The 2022 edition of the famous (or infamous, depending on your point of view) Pwn2Own contest kicks off later today in Vancouver, British Columbia.
(Actually, this year’s event is a so-called “hybrid” event, so attendees who are unable or unwilling to travel, whether for coronavirus or environmental reasons, can attend remotely.)
Numerous vendors have offered cash prizes for hacking various of their products, with this year’s potential targets being:
- Virtualization: Oracle VirtualBox, VMware Workstation, VMware ESXi, Microsoft Hyper-V Client.
- browsers: Google Chrome, Microsoft Edge, Apple Safari, Mozilla Firefox.
- Enterprise Apps: Adobe Reader, Office 365 ProPlus.
- Server: Microsoft RDP/RDS, Exchange, SharePoint, Samba.
- Endpoint Operating Systems: Ubuntu Desktop, Windows 11. (elevation of privilege only)
- Corporate Communications: Zoom, Microsoft Teams.
- Automobile: a set of categories based on Tesla 3 vehicles.
Interestingly the server and enterprise apps Categories properly tightened zero hackers every year.
browsers and virtualization were considered similarly uninteresting, it seems, with just a Participants taking on Firefox and Safari, respectively, and a lone hacker trying his hand at VirtualBox.
Windows 11 and Ubuntu Linux attracted seven and five entries each; four Participants will stop by Teams; and two will try out different aspects of the Tesla 3.
Table of Contents
A hacking lottery
The rules of Pwn2Own are a bit strange considering some contestants may not compete at all.
The Tesla hackers (two different categories) as well as the browser and virtualization newcomers will definitely all have their turn as they are the only competitors in their categories.
They will either succeed in their designated half-hour slot and claim their prizes, or they will fail and go home empty-handed.
Everyone else’s participation depends on what has already happened.
For example, Pwn2Own is not a time trial sporting event (think downhill skiing) where even if the first competitor beats the current world record and appears to have set an unbeatable time, they still have to wait until the very last competitor has finished to find out if theirs early time was good enough.
In contrast, in Pwn2Own, the first participant to complete the course wins the prize and completes the category for everyone else – if it were skiing, the first skier wouldn’t have to break a record immediately to win, just to the bottom must arrive without going over or exceeding a predetermined time limit.
Speed is not entirely unimportant with Pwn2Own. You have a maximum of three attempts to show that your hack actually works, each lasting a maximum of five minutes, and you have a total of 30 minutes to complete your three attempts. In other words, you must be fully prepared and have your research properly written down. Pwn2Own is definitely not a “hack-it-live-and-see-what-passes” movie-style event. Not only do you need to break in, you need to know the intimate details of how and why your attack works so it can be reliably remedied. Ironically, the most dramatic entries aren’t the ones where the competitor eventually and wildly hacks the system in a matter of seconds, as might normally happen in Hollywood. The hacks that draw the biggest breaths usually involve spectacularly well-prepared participants who simply walk up to the system, launch their meticulously well-researched attack with a single click or command, and succeed instantly without any drama whatsoever.
The downside of popularity
The lottery that determines the order of the competition makes a big difference to the competitors.
For example, the seventh drawn entrant in the Windows 11 category cannot win simply by being the best or the fastest or some other superlative – it can only win if all the previous six entrants fail completely, and then their chop works.
Anyhow, watch this space for the results, all of which will be known no later than Friday 05/20/2022 at 14:00 Vancouver time (currently UTC-7).
The last day could actually be a total flop as Friday is only scheduled for Teams, Windows and Linux to be hacked and all of those prizes can be done and dusted off today!
The order of hacks in Pwn2Own 2022 is as follows:
- Later today: Teams, VBox, Teams, Firefox, Windows, Linux, Teams, Safari, Linux, Windows
- Morning: Tesla (Infotainment), Windows, Linux, Tesla (Diagnostics), Windows, Linux
- Friday: Teams, Windows, Linux, Windows, Windows
What do you think?
What do you think of this “winner takes it all and everyone else takes their exploits home” approach?
Do hacking extravaganzas of this sort improve the state of cybersecurity by fostering the discipline needed for complete and well-documented research so that underlying problems are properly uncovered and not just papered over with patches?
Or are they working against cybersecurity in real life, possibly delaying the early disclosure of partial results that could have been fixed months earlier if only they hadn’t been withheld for competitive purposes?
Share your thoughts in the comments below…