Announcing Pwn2Own Tokyo for 2019

August 28, 2019 | Brian Gorenc

Started in 2012, our fall Pwn2Own contest has undergone quite a few changes over the years. It was initially held in Amsterdam, then moved to Tokyo the following year. It was here that we had our first Asia-based Pwn2Own participants. The contest continued to evolve over the years, and last year, we saw the introduction of Internet-of-Things (IoT) devices like the Amazon Echo and Google Home speakers. This year, we’re expanding things even further as we bring on a new partner in Facebook, as they bring the Portal from Facebook and Oculus Quest to the contest – and that’s just the beginning. If you’re just looking for the complete rules, you can find them here

Pwn2Own Tokyo will take place on November 6 – 7 during the PacSec conference, which is held at the Aoyama St. Grace Cathedral in Tokyo, Japan. More than $750,000 USD in cash and prizes are available to researchers with 17 different devices as potential targets in a total of eight different categories. As with our Vancouver contest, Pwn2Own Tokyo seeks to harden these devices and their OSes by revealing vulnerabilities and providing that research to the vendors. As always, the goal is to get these bugs fixed before they’re actively exploited. 

The Target Handsets

At its heart, this version of Pwn2Own Tokyo looks at mobile handsets, and this year is no different. Here are the target handsets for Pwn2Own Tokyo 2019:

-       Xiaomi Mi 9
-       Samsung Galaxy S10
-       Huawei P30
-       Google Pixel 3 XL
-       Apple iPhone XS Max
-       Oppo F11 Pro (baseband category only)

All of these phones will be running the latest version of their respective operating systems with all available updates installed.

Wearables, TVs, Speakers, and More

 This year, we’re greatly expanding the number and types of devices included in the contest. In addition to the previously mentioned Portal from Facebook and Oculus Quest, Pwn2Own 2019 includes internet-connected televisions and consumer-grade network routers, along with an updated list of smart speakers and connected cameras. Here’s the full list of devices included in this year’s contest:

Wearables:

-       Apple Watch Series 4
-       Oculus Quest (64Gb)

Home Automation:

-       Portal from Facebook
-       Amazon Echo Show 5
-       Google Nest Hub Max
-       Amazon Cloud Cam Security Camera
-       Nest Cam IQ Indoor

Televisions:

-       Sony X800G Series - 43”
-       Samsung Q60 Series – 43”

Routers:

-       TP-Link AC1750 Smart WiFi Router
-       NETGEAR Nighthawk Smart WiFi Router (R6700)

All of these devices will be updated to the most recent patch level or system update, and all will be in their default configuration.

The Pwn2Own Tokyo Challenges

Now that you know the devices available, let’s look at the different categories of challenges, starting with the various tests against mobile handsets.

Web Browsers

In this category, contestants will target the default web browser of each particular handset. The awards for this category are:

This category also includes add-on bonuses for some of the handsets. If your exploit payload executes with kernel privileges on any of these handsets, you will earn an additional $20,000 and 2 more Master of Pwn points. There will also be a bonus for the exploit payload surviving a reboot. Accomplish this on the Google Pixel and you earn another $25,000 and 3 Master of Pwn points. Do this on the Apple iPhone XS and you will earn an additional $50,000 and 5 Master of Pwn points. That means a full iPhone browser exploit with persistence and kernel-level access will earn $130,000.

Short Distance

In this category, we’ll be looking at attacks happening over Wi-Fi, Bluetooth, or near field communication (NFC). The awards for this category are:

This category also has the same add-on bonuses as the browser category. That means another $20,000 for a kernel-level exploit, and $25,000 and $50,000 for persistence on the Google Pixel and Apple iPhone respectively.  

Messaging

Attacks in this category will take place by viewing or receiving a MMS or SMS message. The awards for this category are:

No add-on bonuses are available in this category.

Baseband

The final category targeting handset covers attacks where the target device communicates with a rogue base station. The awards for this category are:

This category offers the most lucrative – and difficult – add-on bonus. If an exploit payload is able to pivot and execute code on the application processor of the Apple iPhone or Google Pixel, the contestant earns and an additional $150,000 and 15 more Master of Pwn points. This means a success pivot through baseband could earn someone $300,000.

Challenges involving other devices

For the devices at Pwn2Own Tokyo that aren’t handsets, a successful entry will compromise the device and retrieve some form of sensitive information. For some of these challenges, local privilege escalations and non-invasive physical attacks (e.g. attacks involving causal physical access) are in scope but result in a lower award.

Wearables

Home Automation

Televisions

Television.png

Routers 

For this category, contestants may target either the WAN or the LAN interface.

Master of Pwn

No Pwn2Own contest would be complete without crowning a Master of Pwn, which signifies the overall winner of the competition. Earning the title results in a slick trophy and brings with it an additional 65,000 ZDI reward points (instant Platinum status in 2020).

For those not familiar with how it works, points are accumulated for each successful attempt. While only the first demonstration in a category wins the full cash award, each successful entry claims the full number of Master of Pwn points. Since the order of attempts is determined by a random draw, those who receive later slots can still claim the Master of Pwn title – even if they earn a lower cash payout. As with previous contests, there are penalties for withdrawing from an attempt once you register for it. If the contestant decides to remove an Add-on Bonus during their attempt, the Master of Pwn points for that Add-on Bonus will be deducted from the final point total for that attempt. For example, someone registers for the Apple iPhone XS Max in the Browser category with the Kernel Bonus Add-on. During the attempt, the contestant drops the Kernel Bonus Add-on but successfully completes the Browser attempt. The final point total will be 4 Master of Pwn points.

If a contestant decides to withdraw from the registered attempt prior to the actual attempt, the Master of Pwn points for that attempt will be divided by 2 and deducted from the contestant's point total for the contest. Since Pwn2Own is now often a team competition, along with the initial deduction of points, the same number of Master of Pwn points will also be deducted from all contestants from the same company.

The Complete Details

The full set of rules for Pwn2Own Tokyo 2019 are available here. They may be changed at any time without notice. We encourage entrants to read the rules thoroughly and completely should they choose to participate.

Registration is required to ensure we have sufficient resources on hand at the event. Please contact ZDI at zdi@trendmicro.com to begin the registration process. (Email only, please; queries via Twitter, blog post, or other means will not be acknowledged or answered.) If we receive more than one registration for any category, we’ll hold a random drawing to determine contestant order. Registration closes at 5:00 p.m. Japan Standard Time on November 4, 2019.

The Results

We’ll be live blogging and tweeting results throughout the competition. Be sure to keep an eye on the blog for the latest results. Follow us on Twitter at @thezdi and @trendmicro, and keep an eye on the #P2OTokyo hashtag for continuing coverage.

We look forward to seeing everyone in Tokyo, and we look forward to seeing what new exploits and attack techniques they bring with them.

With special thanks to Pwn2Own Tokyo 2019 Partner Facebook for providing their technology:

combo-bluerp.png

 

 

 

©2019 Trend Micro Incorporated. All rights reserved. PWN2OWN, ZERO DAY INITIATIVE, ZDI and Trend Micro are trademarks or registered trademarks of Trend Micro Incorporated. All other trademarks and trade names are the property of their respective owners.