The participants have successfully compromised NAS devices, routers, printers, and mobile phones. Overall, there were about 60 zero-day vulnerabilities surfaced in the whole event, by exploiting known and unknown flaws.
Pwn2Own Event 2021 Highlights
The second iteration of Pwn2Own 2021 came to an end this week, where the focus was directed against routers, printers, NAS devices, and phones. The first iteration went onto surface flaws in Microsoft Exchange Server, macOS, Windows 10, and Teams. Now, over the course of 4 days, several individual researchers and security firms have surfaced over 60 new zero-day vulnerabilities from 58 attempts. These include exploiting a single critical flaw or chaining together multiple lower-risk flaws to achieve the remote code execution. Top teams include Synactiv security, which earned about $197,500 in payouts and 20 “Master of Pwn” points, followed by the Devcore researchers: Orange Tsai, Angelboy, and Meh Chang, who made six successful attacks to claim about $180,000 in cash rewards. Researchers at NullRiver took the final pay by exploiting two flaws in the Netgear R6700v3 router. Major devices being exploited include the Cisco RV340 router, where researchers performed nine successful attacks using both the previously known and unknown flaws. The next up is the Western Digital My Cloud Pro Series PR4100 NAS box, which had nine successful break-ins, and was the popular device of the event. Marking as the first in Pwn2Own history, researchers have also successfully compromised printers, including the Canon ImageCLASS MF644Cdw or Lexmark MC3224i, which had ten different entries launched against it. Overall, Pwn2Own paid about $1,081,250 in rewards over the four-day competition and received 60 new zero-day vulnerabilities in return from all the researchers.