TOKYO—When it comes to getting hacked by security researchers at the seventh annual Mobile Pwn2Own hacking contest here, smart TVs could be a lot smarter about staying secure. The same goes for Wi-Fi routers, Xiaomi Android phones, and an Amazon Echo. One exploit even survived a factory reset of the device.
The Mobile Pwn2Own hacking contest and its March counterpart in Vancouver, focused on phones and other non-laptop devices, have been delivering hundreds of thousands of dollars in prizes each year to hackers eager to show off their skills. But what’s become apparent over the past several years is that improperly maintained but widely used, open-source projects such as Android and Chromium, the basis for Google’s Chrome browser, contribute a disproportionate number of victories to hackers, says Brian Gorenc, who heads up Zero Day Initiative, which organizes the Pwn2Own contests.
Gorenc stresses that he doesn’t blame Google when third-party vendors, including Sony, Samsung, and Xiaomi, are lax in updating Android and Chromium. “They’re not setting up automatic updates. They’re not thinking about how to secure an attack surface for end users,” he says. “Their devices are not configured the same way as Google would configure them. Google’s understanding of the code base is not being applied elsewhere.”
READ MORE ON ZERO-DAY VULNERABILITIES
SafeBreach discloses vulnerabilities in Avast, AVG, Avira
‘Memsad’ software rot threatens to leak your digital secrets
After Russia warning, hole found in leading industrial-control software
Primer: What’s a zero-day?
When to disclose a zero-day vulnerability
One winning hack was devastating enough that it allowed Pedro Ribeiro and Radek Domanski, who in their first appearance at the contest hacked the WAN interface of the Netgear Nighthawk Smart WiFi Router R6700, to maintain control over the device even after it had been factory-reset. They earned $20,000 for that effort alone, and $50,000 over the course of the two-day contest.
Representatives from Xiaomi, Samsung, and Google, all of which had devices that were hacked at the contest, declined to comment.
All told, hackers walked away from Pwn2Own Tokyo 2019 with $315,000 for finding 18 vulnerabilities, hacking victories underscoring the understanding that major device manufacturers are selling easily hacked devices to consumers and businesses with little enthusiasm for keeping them secure.
Devices “pwned” (successfully hacked) in the contest include Samsung’s flagship S10 phone, Amazon Echo Show 5, Xiaomi Mi9, smart TVs from Sony (X800G) and Samsung (Q60), the TP-Link AC1750 Smart Wi-Fi router, and the aforementioned Netgear Nighthawk R6700 router. Manufacturers have 90 days to patch the vulnerabilities before contestants may reveal how they executed their hacks.
“Their devices are not configured the same way as Google would configure them. Google’s understanding of the code base is not being applied elsewhere.”—Brian Gorenc, Zero Day Initiative
Richard Zhu, the American half of Team Fluoroacetate, which won a Tesla for a successful hack of the car’s Web browser at the Pwn2Own at CanSecWest 2019 in March and dominated the Tokyo contest with $195,000 in prizes earned, says manufacturers are making it easier for hackers to break their products when they use open-source software but don’t keep it up-to-date.
“The vulnerabilities are already available,” Zhu says. “Tesla was up-to-date on their patches, but these targets are running older infrastructure. It’s not good to see.”
“They need to maintain their code better,” says Zhu’s partner, Amat Cama of Senegal. “If you’re forking an open-source project,” such as Samsung’s version of Android, or many of the Chromium-based browsers on smart TVs and in cars, “you have to sync faster. It’s the same story for each device.”
Google has little control over how manufacturers deliver security updates to Chromium and Android, though the company has been attempting to strong-arm its top-tier partners to keep their users safer. Judging by this year’s Mobile Pwn2Own, it’s got a long way to go.
Disclosure: PacSec’s organizers covered part of The Parallax’s conference travel expenses.