Over 70 zero-day flaws get hackers $1 million at Pwn2Own Ireland

26 Oct 2024, 09:42 by Bill Toulas · BleepingComputer

The fourth day of Pwn2Own Ireland 2024 marked the end of the hacking competition with more than $1 million in prizes for over 70 unique zero-day vulnerabilities in fully patched devices.

The hacking contest pits security researchers against various software and hardware products, in an attempt earn the "Master of Pwn" title by compromising targets in eight categories ranging from mobile phones, messaging apps, home automation, and smart speakers to printers, surveillance systems, network-attached storage (NAS), and SOHO Smash-up.

This edition of Pwn2Own was the fourth consecutive one where white-hat hackers passed over the million-dollar prize mark, earning a total of $1,066,625.

During the last day of the competition, security researchers successfully exploited devices from Lexmark, True NAS, and QNAP:

Team Smoking Barrels exploited two vulnerabilities in TrueNAS X. Althoug one of the bugs had been previously used in the contest, the team still earned $20,000 and 2 Master of Pwn points
Team Cluck used a chain of six vulnerabilities to move from the QNAP QHora-322 to the Lexmark CX331adwe. One of the flaws had already been used but they received $23,000 and Master of Pwn points for the successful exploitation
Viettel Cyber Security targeted TrueNAS Mini X with a two-bug exploit. Their chain also relied on a bug previously seen in the competition but their demonstration was rewarded with $20,000 and 2 Master of Pwn points
PHP Hooligans / Midnight Blue leveraged an integer overflow vulnerability to exploit a Lexmark printer, which earned them $10,000 and 2 Master of Pwn points

Viettel Cyber Security received the "Master of Pwn" award for collecting a total of 33 Master of Pwn points. They earned $205,000 for the flaws demonstrated in QNAP NAS, Sonos speakers, and Lexmark printers.

Pwn2Own Ireland 2024 final standings
Source: Zero Day Initiative

The next Pwn2Own event is scheduled for January 22, 2025, and will happen in Tokyo, Japan.

The event focuses on the automotive industry and has four categories for participants: Tesla, In-Vehicle Infotainment (IVI), Electric Vehicle Chargers, and Operating Systems.

Zero Day Initiative (ZDI) has published details about the categories and the money prizes for successful exploitation. The rules of the competition are available here.