Pwn2Own Vancouver 2019: Wrapping Up and Rolling Out

March 22, 2019 | Dustin Childs

The final day of Pwn2Own Vancouver 2019 has come to a close, but not without some drama and intrigue.

The day began not with a bang, but with a whimper as the Team KunnaPwn withdrew their entry from the automotive category. Although they didn’t demonstrate any of their research at this contest, we hope they submit some of their research to our program in the future.

The assembled crowd viewed from within the vehicle

When their scheduled time arrived, the dynamic Fluoroacetate duo of Richard Zhu and Amat Cama thrilled the assembled crowd as they entered the vehicle. After a few minutes of setup, and with many cameras rolling, they successfully demonstrated their research on the Model 3 internet browser. They used a JIT bug in the renderer to display their message and earn $35,000. Of course, this is Pwn2Own so they also get the car.

ZDI Analyst Jasiel Spelman prepares to run the demonstration from Richard Zhu

Overall, the three days of Pwn2Own Vancouver 2019 have been a great success. We have awarded a total of $545,000 for 19 unique bugs in Apple Safari, Microsoft Edge and Windows, VMware Workstation, Mozilla Firefox, and – in its inaugural year – the Tesla infotainment system.

And it should come as no surprise that the Fluoroacetate team of Richard Zhu and Amat Cama have been crowned the Master of Pwn for 2019! Their amazing research earned them $375,000 over the contest and resulted in 36 Master of Pwn points. They dominated Pwn2Own Tokyo and have carried that wave through to the spring. We can’t wait to see what’s next for this pair of talented researchers.

Master of Pwn winners Richard Zhu and Amat Cama - Team Fluoroacetate

Thanks to all of the researchers who participated in our contest this year. We can’t hold it without their hard work and dedication. Thanks also to our partners Microsoft and Tesla and sponsor VMware for their support and assistance before and during the contest.

The Master of Pwn trophy and awarded laptops

As always, onsite vendors have received the details of these bugs and now have 90 days to produce security patches to address the issues we reported. Once these are made public, stay tuned to this blog for more details about some of the best and most interesting research we saw this week.

Until then, you can follow the team for the latest in exploit techniques and security patches. See you at the next event!