On the first day of the Pwn2Own Austin 2021 event, contestants took advantage of a previously unknown security flaw to hack into printers, routers, NAS devices and speakers from Canon, HP, Western Digital, Cisco, Sonos, TP-Link and NETGEAR. We hacked printers, routers, NAS devices, and speakers from Canon, HP, Western Digital, Cisco, Sonos, TP-Link, and NETGEAR and won $362,500.
While the Pwn2Own contest has focused on consumer devices since its initial launch, the contest itself has been held around the world.
The 2012 contest in Amsterdam focused on cell phones, and the following year in Tokyo, the contest was held in conjunction with the PacSec Applied Security Conference.
Since then, the contest has expanded to include TVs, wearables, smart speakers, etc. Last year in Toronto, we expanded the contest to include Network Attached Storage (NAS) devices.
This year, we held Pwn2Own at our headquarters in Austin, Texas from November 2-4, 2021. For this year’s event, we expanded the router category and introduced a printer category to reflect the home office environment that many people are in today.
A total of 22 devices will be targeted, with over $500,000 in prizes on offer.
In Pwn2Own Austin (formerly known as Pwn2Own Mobile), security researchers will challenge devices such as cell phones, printers, routers, network attached storage, smart speakers, TVs, external storage, and more, all with up-to-date and default settings. It’s a challenge.
The only exception to this is Western Digital’s 3TB My Cloud Home Personal Cloud NAS device, as this is still running a beta software release.
The highest prize for researchers is in the cell phone category, with a maximum prize of $150,000, plus an additional $50,000 bonus for exploiting the iPhone or Pixel browser to run with kernel-level privileges, for a total maximum prize of $200,000 per challenge.
The Pwn2Own Austin consumer event has been extended to four days with 22 attendees registered and a total of 58 entries.
The highest reward on the first day of Pwn2Own in Austin went to the team from DEVCORE and THEORI.
DEVCORE has taken over the Sonos One Speaker, Canon ImageCLASS MF644Cdw and HP Color LaserJet Pro MFP M283fdw printers for a total of $100,000.
THEORI team hacked Western Digital’s My Cloud Pro Series PR4100 and 3TB My Cloud Home Personal Cloud NAS devices and won an additional $80,000.
The Samsung Galaxy S21 was the only device to exit unscathed.
Over the course of three days, contest participants earned a record $1.21 million for exploits and exploit chains targeting products in the web browser, virtualization, server, local privilege escalation, and enterprise communications categories.