Darknet Diaries - 82: Master of Pwn
Episode Date: January 5, 2021The Zero Day Initiative runs a hacker contest called Pwn2Own. The contest calls the best hackers in the world to demonstrate they can hack into software that should be secure. Like browser...s, phones, and even cars. A lot of vulnerabilities are discovered from this event which means vendors must fix them. Whoever can demonstrate the most vulnerabilities will be crowned the “Master of Pwn”.Thanks to Dustin Childs and Brian Gorenc from ZDI to hear all about Pwn2Own.Thanks to Radek and Pedro for sharing their experiences of becoming the Masters of Pwn.SponsorsSupport for this show comes from Blinkist. They offer thousands of condensed non-fiction books, so you can get through books in about 15 minutes. Check out Blinkist.com/DARKNET to start your 7 day free trial and get 25% off when you sign up.Support for this show comes from Kars 4 Kids. Donate your car today, this organization will sell to use for their charity.View all active sponsors.Sources https://www.forbes.com/profile/lee-junghoon/?sh=49ee055fc9c7 https://www.cyberscoop.com/pwn2own-chinese-researchers-360-technologies-trend-micro/ https://twitter.com/BrendanEich/status/697889208380293120 https://www.techtimes.com/articles/247111/20200130/google-bug-bounty-2019-became-the-highest-paid-google-hackers-reaching-6-5-million.htm
Transcript
Discussion (0)
All right, pop quiz. Who is the best hacker in the world? I think I found him. It's two guys, actually, Pedro and Rado.
Oh, wow.
They won the 2020 Masters of Pwn Award, which for now means they're the best.
As much, we really appreciate that. And as much as we would like to think we are, that would be unfair,
you know. It's quite a nice title to have and we're quite happy with it. But the fact is, you
know, there's a lot of good hackers that stay in the shadows. And I know for a fact a lot of them
are better than us. See, here's the thing. Master of Pwn is a title given to the winner of the Pwn
to Own Hacker Competition. We'll get into what all that means later. But this is a very prestigious event with hundreds of thousands of dollars in prize money at stake. In fact, I think it's open for anyone in the world to compete in, then yeah, I think whoever wins it can possibly say they're the best hackers in the world.
I mean, how else can you prove that except through a fair and open competition, right?
Yeah, it's very good to be crowned a master of pwn.
And of course, anybody can challenge that.
But as Pedro said, there are a lot of people that stay in the shadow
or they use different competitions or formats to compete with the rest of the world.
These are true stories from the dark side of the internet.
I'm Jack Recider. This is Dark by Delete Me.
I know a bit too much about how scam callers work.
They'll use anything they can find about you online to try to get at your money.
And our personal information is all over the place online.
Phone numbers, addresses, family members, where you work, what kind of car you drive.
It's endless.
And it's not a fair fight.
But I realize I don't need to be fighting this alone anymore. Now I use the help of Delete.me. Delete.me is a
subscription service that finds and removes personal information from hundreds of data
brokers' websites and continuously works to keep it off. Data brokers hate them because Delete.me
makes sure your personal profile is no longer theirs to sell. I tried it and they immediately
got busy scouring the internet for my name and gave me reports on what they found. And then they got busy deleting things.
It was great to have someone on my team when it comes to my privacy. Take control of your data
and keep your private life private by signing up for Delete Me. Now at a special discount for
Darknet Diaries listeners. Today, get 20% off your Delete Me plan when you go to joindeleteme.com
slash darknetdiaries and use promo code darknet at checkout. The only way to get 20% off your Delete Me plan when you go to joindeleteme.com slash darknetdiaries and use
promo code darknet at checkout. The only way to get 20% off is to go to joindeleteme.com slash
darknetdiaries and enter code darknet at checkout. That's joindeleteme.com slash darknetdiaries.
Use code Darknet. Support for this show comes from Black Hills Information Security.
This is a company that does penetration testing, incident response, and active monitoring to help
keep businesses secure. I know a few people who work over there and I can vouch they do very good
work. If you want to improve the security of your organization, give them a call. I'm sure they can
help. But the founder of the company, John them a call. I'm sure they can help.
But the founder of the company, John Strand, is a teacher.
And he's made it a mission to make Black Hills Information Security world-class in security training.
You can learn things like penetration testing, securing the cloud, breaching the cloud, digital forensics, and so much more.
But get this, the whole thing is pay what you can.
Black Hills believes that great intro security classes do not need to be expensive,
and they are trying to break down barriers to get more people into the security field.
And if you decide to pay over $195, you get six months access to the MetaCTF Cyber Range,
which is great for practicing your skills and showing them off to potential employers.
Head on over to blackhillsinfosec.com to learn more about what services they offer and find links to their webcasts to get some world-class training.
That's blackhillsinfosec.com. Blackhillsinfosec.com.
Okay, today we're talking with two guys from ZDI, which stands for the Zero Day Initiative.
My name is Dustin Childs. I'm the Senior Communications Manager for the Zero Day Initiative.
My name is Brian Goritz. I'm the Senior Director of Vulnerability Research here at Trend Micro.
I run the Zero Day Initiative, along with a couple other things here at Trend, all focusing on exploitation and vulnerability discovery.
All right, so you're both part of the Zero Day Initiative. What is the Zero Day Initiative?
ZDI is the world's largest vendor agnostic bug bounty program.
That means we buy bugs in products from various vendors across the spectrum of IT.
That's interesting. These guys are bug buyers. Specifically, they buy zero day vulnerabilities.
And zero day vulnerabilities are bugs that the software developer or vendor doesn't know exist or has not fixed.
So this vulnerability can be exploited on the latest and greatest software updates.
So if someone can demonstrate they can exploit fully updated software, the ZDI team will buy that exploit from them.
So we buy Microsoft, we buy Apple, we buy Google, we buy Cisco, we buy IBM, we buy a bunch of different
bugs. Now, the thing is, ZDI is ran by Trend Micro, which is a cybersecurity company that
makes different products like the Tipping Point Intrusion Detection System. Now, an intrusion
detection system examines the network traffic and looks for someone trying to exploit something,
and it alerts and triggers and tells the admin,
check this out, there might be something wrong here.
So ZDI was created in order to enrich the vulnerabilities that their intrusion detection system can detect.
They thought by buying bugs, it would make their product better.
But at the same time, when they're buying a bug,
they also tell the vendor that there's a serious vulnerability in their product and this needs to be fixed now. And while a lot of software vendors have their own bug
bounty program, which pays people to report bugs to them, they don't give ZDI any money for the
bugs that ZDI reports. I wish it worked that way. It would save our budget a lot. No, we buy the
bugs, like let's take a Microsoft Edge bug, just as an example, hypothetically.
So we buy a bug in Microsoft Edge. And then what we do is we create a filter for our products,
and then push that out to Trend Micro products ahead of Microsoft releasing a patch for Edge.
Yeah, well, so I guess my question is, why doesn't, so you said Edge as an example,
why wouldn't Microsoft pay for this bug?
Or why don't they pay more for it?
Microsoft would pay for it, and they probably would pay more.
But their advantage is with going to ZDI.
Certain researchers don't want to be known to the vendors.
Certain researchers don't want to deal with the disclosure.
We've had a lot of interesting disclosures over the years.
We also have kind of a frequent flyer program.
So the more you report to us, the higher levels of bonuses you can get.
And we're kind of a known entity.
Like with some vendors, researchers have had the experience where they report bugs and then they just kind of get blown off.
The vendors know who ZDI is.
We've been around long enough.
So researchers know that if they report it to us, their bug's not going to get just ignored. I've talked with a few researchers who have
found it frustrating when they tell a company about a bug they found, but that company just
ignores them. So security researchers don't always want to go through the hassle of having
to convince a company that there's this bug and you need to fix it and here's how. Instead,
they just submit it to ZDI and then ZDI does all the legwork to try to get the vendor to fix it and here's how. Instead, they just submit it to ZDI and then ZDI does all
the legwork to try to get the vendor to fix it. Because here's the thing, ZDI puts pressure on
the vendor to make the move quick. Yes, we have a 120-day disclosure timeline right now for vendors.
So from the time we report it to you, to any particular vendor, they have 120 days to work with us to get a public solution available, whether it's a patch or an advisory, some sort of fix out to the public.
And then if it exceeds that timeline, then we do disclose a certain amount of information so that people can take other manners to protect their resources.
See, ZDI has a heavy hand here.
When they give a bug to a vendor, a timer starts.
And if the vendor doesn't fix this problem in 120 days,
then ZDI will publicly tell the world about this bug.
This has given ZDI quite a reputation,
because if you're a vendor and ZDI calls you up,
you better listen and get things fixed quick,
or else your customers are going to be victim to many attacks.
And this has happened.
Vendors have ignored ZDI, and the timer sometimes expires.
Sometimes the vendor disagrees with the severity of the bug.
So we had a bug in the Foxit PDF reader, and it only hit when the protected mode was disabled.
So they said, because of that, we're not going to fix it.
And we said, we disagree with that.
And we think it should be fixed.
So we're going to go public with it.
We went public with it.
They published a blog.
We published a blog.
And later that afternoon, they came back and said,
you know what, we changed our mind.
We are going to fix it.
And a week later, a patch was available.
So clearly, if it only took them a week to make the patch, it wasn't a technical issue.
It was just a, we don't want to patch this for philosophical reasons.
So by going public with it, that changed their mind.
So ZDI was doing this bug buying stuff for a few years.
But then came CanSecWest.
CanSecWest is a security conference in Vancouver, Canada. The conference organizer
had a MacBook. MacBooks had a reputation in the public as being essentially hack-proof. Everyone
in the community knew that wasn't true, though. So he wanted to kind of demonstrate that. So at
the conference, he said, OK, I'm going to put this MacBook on this network. If you own it,
you can own it. Hey, ZDI, would you buy the bug? We said,
yes, we'll pay $10,000 for the bug. So an impromptu contest was launched. If someone at CanSecWest
had a working exploit for a fully updated MacBook Air, they could try attacking it. And the challenge
was to get into it without the user having to do anything like click a link or a pop-up or anything.
Simply having the MacBook on the same
network as an attacker was all that was needed. Because if someone can take a computer over like
this, this means they've pwned the computer. And the rules are that if you pwn it, you can own it,
which is different than owning it in a hacking sense. If you attack something and you get into
it, you pretty much own that system. But in this case, you're actually given the MacBook Air and say, yeah, you got into it. You can own it now.
It's yours. But then on top of that, ZDI was also offering a $10,000 reward if you can do it too.
So that's a pretty nice reward, which means hackers were spending time trying to hack into
this MacBook Air during the conference, which lasted three days. And so did somebody pwn it?
Dino Daizovi, yes, he did.
That was before my time, but I believe he used a bug in QuickTime to take over the system.
This was such an exciting event for ZDI that they decided to keep this contest going.
And since 2007, the Pwn2Own contest has been going on
every year at CanSec West. Yes, from that point, it became an annual thing and it grew. Initially,
it started primarily with browsers. So the Pwn2Own contest for the next few years was just
for web browsers, Chrome, Firefox, i.e. Safari. And they announced the contest rules. The browsers
will be fully updated on the latest patches,
and the contestant will need to exploit a bug in the browser and try to take over the computer.
And the only interaction the user has to do is browse to the attacker's website.
I was going to say, just browse to the website.
No user interaction after that.
Yeah, we actually have rules in the contest that require the exploit work without any user interaction.
Other than going to the website.
Other than going to the website,
then once you hit the website,
the machine is compromised and the attacker shellcode is executing.
Okay, that gives me chills just thinking about it
because I always assumed if I just go
and as long as I don't click,
are you sure you want to run this thing?
It's very bad or something.
Or there's a little padlock in the top.
Like there's all these little things I look for when I'm going to shady looking websites.
But now you're telling me it's possible that even if all that, I could still be pwned.
That's correct.
100%.
So there's a few different combinations of potential attack scenarios here.
It's not just four browsers.
There's also three different operating systems, too.
So they would ask the contestants,
what browser and what operating system do you want us to visit your website with?
And you can pick macOS, Windows, or Linux,
because writing an exploit for each of these is a little different.
And so next year, in 2008, Charlie Miller wrote an exploit for Safari on macOS.
And when the contest organizers went to Charlie's website,
Charlie exploited that computer and completely took it over.
And from then on, the contest grew bigger and bigger and bigger.
In 2014, a security research team known as Vupen came to compete at Pwn2Own.
Yeah, the Vupen Chrome escape is actually quite interesting.
That one happened in 2014.
And it's, I think, still to this day,
one of my favorite exploit chains that we received from Vupin.
So Vupin at the contest was targeting Google Chrome.
Obviously, at the time, it's still to this day,
it's considered one of the most hardest browsers to actually compromise.
And so what they ended up doing is they have their
server, we have the attack laptop, and one of the ZDI team members surfs to their controlled web
page, and it basically says waiting. And what's happening underneath the covers is actually
they're exploiting a use after free in Google's renderer process. Use after free is a classic exploit.
A browser has an object in the computer memory in order for it to work.
But what an attacker might do is delete that object from memory somehow, but not tell the
browser that the object was deleted.
So the browser still thinks something is there, but the attacker will put something else in
that spot of the memory.
So when the browser goes to run the program that's in that piece of memory,
it's running the attacker's code instead, which can be something malicious.
And so once they've actually successfully exploited the use after free,
they move on to trying to escape the sandbox.
And getting out of the sandbox is the next big hurdle.
Most modern browsers today render websites in a sandbox. And
if you think about it, when you're browsing the internet, you're loading all kinds of content from
people you don't trust. Images, sound files, JavaScript, it's all being downloaded and opened
on your computer. So browsers place all that in a sandbox, which is a place where all this can be
opened, but nothing in the sandbox should ever be able to interact with anything else on the computer. And so a sandbox is a safe place to
load untrusted content without the fear of it spreading to the rest of the computer or even
to other tabs within the browser. So sandboxes have a very strict amount of privileges and
something they don't allow for is someone to fully take over a computer. So this is why attackers
need to learn how to escape the sandbox to take over a computer,
which is what Vupen came to demonstrate live on stage during the contest.
And the way that they did this was they actually used an undocumented feature in Windows,
which allowed them to load a comm control onto the clipboard of the operating system.
And so what ended up happening is every time you would right-click,
the comm control would get instantiated
and execute attacker control code
outside of the sandbox itself.
So it was this kind of slick way
of escaping the Chrome sandbox
using some of the undocumented features
in the Windows operating system.
Now, to me at least, this is exciting to watch.
It's not quite a spectator sport though. So it's just about as good to hear about
it later as it is to see it live. But it's exciting in the sense that an unknown bug to a
major browser is going to be exploited right here on stage right now. Yeah, it's usually it's usually
very exciting, right? So and you know, what's what's happening kind of on the on the contestant side is, you know, they've put a lot of time and effort into first finding the vulnerability and finding the sandbox escape.
And then taking the time to write the exploit, make it reliable, make it so that there's no user interaction.
And it comes to this point in the contest where, you know, it's all on the line, right?
And there we have, you have five minutes to make the exploit work. And so, you know, there's a lot
of tension that occurs in the air and in the room when it comes to that point of actually surfing to
the webpage, right? And, you know, for us in ZDI, we're always very much, we want the contestant to
win, right? We want to pay the bounty. We want to be involved in the disclosure process. We want to
see them be successful because ultimately what's going to happen is the vendor is going to release a patch that's going to remove this
exploit from being used in the wild. And so, you know, we're also very excited when the actual
exploit works because we look at exploits as kind of art, right? There's always, you know,
unique things that they're doing to make the exploit work. They're using, you know,
different exploit techniques, you know, unique bugs,
things that have never been seen before.
And so, you know, when the exploit is successful,
it gives us an opportunity to kind of go
take a look at that exploit chain,
understand how they put it together.
You look at the vulnerabilities that they were using
and see if there's any interesting new techniques
that we can kind of provide protections for,
but also recognize all of the efforts
that the contestant has put into actually developing that exploit.
So the Vupen team sat down, got their malicious web server ready, then told ZDI to browse
to their web server.
And after ZDI went to the website, a few moments later, the calculator app launched on ZDI's
computer, which proves that the Vupen team was able to get into that computer and launch
whatever program they wanted.
And I remember when we were sitting in the disclosure room
at the contest going through the exploit
with Microsoft and Google at the time,
we were all kind of sitting there, you know,
surprised at how efficient this was
and the fact that they were leveraging something
that was undocumented in the operating system
that would allow them to execute code
and escape the sandbox,
which at the time was something that still was relatively rare to see.
But it was fun to, you know, you just go to a website, the browser doesn't crash, and
then you minimize the browser and start right-clicking on the desktop and calculators start popping
up on the screen, you know, kind of demonstrating that they did have complete control of the
computer at that point. Demonstrating this vulnerability and having it work earned Vupin $100,000 in prize
money. And over the course of time, Vupin has gone to Pwn2Own and taken prize money home many times.
See, Vupin was this team of security researchers who were in the business of finding
vulnerabilities and selling them to law enforcement. So this was actually their whole business.
Which brings me to the question, is $100,000 a lot for a bug like this?
Well, it seems like it is. It's a lot for ZDI, that's for sure. But let's talk about some options.
What else you could do with a zero-day bug like this?
If the vendor had a bug bounty program, you could submit to them.
And some vendors pay pretty well.
But do they pay $100,000 for a bug?
Well, Google's maximum payout for a bug is currently set to $30,000.
But a security researcher in 2009 was able to demonstrate that he could take over a Pixel 3 phone with just one click,
and Google paid him $200,000 for that one. But the reason that was so high is because the
researcher was able to chain a few different exploits together to get this working. So they
actually use multiple bugs to do that, and sometimes vendors will pay double when they
want researchers to focus on a particular product. And it's sometimes
hard to get vendors to look at bugs that you give them and get them to pay out. Obviously,
taking full control over a computer using an unknown bug will be one of the higher paying
bugs. But then there's a few other markets for places you can go to sell zero-day exploits. The
dark web is one place, but it's shady and shifty. Like, is someone really going to roll up and pay
$100,000 for a vulnerability on a darknet marketplace? How do you know it's an actual
zero-day vulnerability? How do you know that you'll get working code and you're going to be
taught how to use it properly? Or how do you know where it even came from? Maybe the seller will
sell it to you and then sell it to your adversary the next day. And think about who's buying and selling
zero-day bugs on the dark web. Probably criminals, right? People with ill intent, at least. The market
for this on the dark web is starting to dry up. And so there's law enforcement. Places like the NSA
and FBI sometimes use zero-day bugs to get into things. The classic example is the San Bernardino
iPhone story. This
was an iPhone recovered from one of the terrorists who did an attack in 2015. The iPhone was password
protected, and the FBI wanted Apple to unlock it, but Apple refused, mostly saying they don't have
the ability to do that, and they've designed the phone in such a way that it's impossible even for
Apple to unlock it. And the court wasn't able to force Apple to do it. So the FBI had to go to plan B, which was to hack into it.
We don't know the specifics, but the story goes that the FBI bought a zero-day bug
for a million dollars to get into that iPhone.
So an exploit to get into a locked iPhone goes for a million dollars on the gray market.
There are mercenaries too, hacking groups who work for the highest bidder
to hack into a target.
An example here is Project Raven.
In fact, in episode 47, I talk about Project Raven.
And this was basically a hacking group
who was contracted by the UAE to hack into its adversaries.
And one of the hacking tools they used is called Karma.
This allowed Project Raven operatives
to access information on a target's iPhone
without the target having
to click or do anything. Simply by sending a message to that iPhone was all it took.
We believe Karma was an exploit that was purchased outside of the UAE. We don't know how much they
paid for it, but it sure is probably worth a million dollars since Project Raven was able
to use it for years on dozens of targets without it being patched.
So anytime the UAE government wanted to spy on someone's iPhone,
they had a pretty easy and quick way to do it.
And see, the thing is, we're in the era of cyber arms industry, where buying and selling zero-day exploits is fairly common among nations and mercenaries.
Because having that slight edge on an adversary can really go a long way for a nation's intelligence gathering.
Yes, there is the exploit broker market and the black market
that can pay a lot more.
There's different concerns that researchers have reporting it that way.
One thing is that you go to Pwnedown,
and there's press coverage, and there's adoration, and there's pony awards that a lot of Pwnedown, you know, and there's press coverage and there's,
you know, adoration and there's pony awards that a lot of Pwnedown stuff gets submitted for.
So you kind of make your name a little bit more well known. If you sell to an exploit broker,
your name will never be associated with your research. And your research could be used by
an oppressive regime to, you know, monitor people or something. Some people have ethical problems with that.
Some people just see two commas in a dollar figure and say, that'll sort itself out.
So it's one thing that we do compete against.
Vupin has demonstrated 11 zero-day vulnerabilities at Pwned Own over the course of a few years.
But that team has now morphed into what's called Zerodium,
which they still work to acquire zero-day exploits and
report on them. Zerodium has their own researchers trying to develop zero-day exploits, but also
spends a significant amount to buy exploits. And that just makes me wonder why Vupin decided to
publicly share these with ZDI. Maybe to become known as the people who have lots of zero-day
bugs. So many that they're willing to share them with ZDI.
I'd like to interview these guys one day, but in my experience, zero-day brokers just don't like talking publicly.
Stay with us, because after the break, someone's going to pwn a car.
This episode is sponsored by SpyCloud.
With major breaches and cyber attacks making the news daily,
taking action on your company's exposure is more important than ever.
I recently visited SpyCloud.com to check my darknet exposure
and was surprised by just how much stolen identity data criminals have at their disposal.
From credentials to cookies to PII.
Knowing what's putting you and
your organization at risk and what to remediate is critical for protecting you and your users
from account takeover, session hijacking, and ransomware. SpyCloud exists to disrupt cybercrime
with a mission to end criminals' ability to profit from stolen data. With SpyCloud, a leader in
identity threat protection, you're never in the dark about your company's exposure
from third-party breaches, successful phishes,
or infostealer infections.
Get your free Darknet exposure report
at spycloud.com slash darknetdiaries.
The website is spycloud.com slash darknetdiaries.
So I'm reading this article on Forbes.com.
The article's titled, 30 Under 30 Asia.
They pick 30 people under 30 years old that are noteworthy in making a name for themselves.
And one person on this list is named Junghoon Lee. And let me read what Forbes wrote about him.
Lee, better known as his online alias Lokihard,
is said to be able to hack into any computer, smartphone, program, or browser
from Apple iPhone to Microsoft Edge, Google Chrome, or Safari.
Who's this guy, Korean Younghoon Lee?
What did he exploit?
He exploited everything.
I think he exploited Chrome, he exploited IE, and he exploited Safari.
Okay, let's talk about that then.
Yeah, so he goes by the handle of Lokiheart.
If I remember correctly, he was actually kind of worked in the game community, game developer.
And so he kind of had a unique way of looking at vulnerabilities that he would find in the browsers.
And typically what he would find is race conditions. And so he'd find a place where, you know, code is racing for a specific point and find a way to exploit that in a way that would allow him to get code execution.
So I remember about his attempts is that a lot of them were, you know, race conditions and kind of unique bugs that not, you know, normal fuzzers and testing techniques wouldn't find.
And that's why I really enjoyed his approach to looking for bugs.
I think one of the most interesting ones I remember from him was he had a,
I think it was an IE exploit where to escape the sandbox,
he actually forced the browser to open up the on-screen keyboard.
And he was clicking on the keyboard with his exploit code
to actually execute commands on the actual operating system itself.
And it was really, it was actually, that one was very visually fun to see
because you would go to the attacker control webpage,
you would exploit the browser,
and he brought up the virtual keyboard
to actually start clicking on different keys on the keyboard.
And I think the attempt didn't work at Pwn2Own because he had tested his exploit against,
I think, the Korean version of the operating system.
And we were running against the English version of the operating system.
And so the keyboard points were slightly off.
And as a result, he didn't actually get code execution outside of the sandbox.
But it was one of the more interesting exploits that we had seen at the actual contest.
And I think his largest payout was $110,000.
Over the three-day program, he won $225,000.
Oh, that's crazy.
That's some young Korean guy just showed up to Pwn2Own,
demonstrated how he can take over computers running Chrome, Edge, and Safari,
and then walked out with a few hundred thousand dollars.
Who are these guys?
Well, Google was apparently really impressed with his work.
So they offered him a job.
And so Loki Hart took the job and moved to Sunnyvale and started working at Google.
But I don't think he works there anymore now.
When this contest happens, I mean, since 2007 to 2017 at least, that's 10 years of
browsers are getting pwned every year.
Yes.
What do the browser companies think of this event?
Well, we've heard from Microsoft that they actually like it
because they're getting research that they would not otherwise do.
And especially the security folks, they can go to their management and go,
look, the secure initiative that we want to do,
these mitigations that we want to implement, see at Pondone, we're getting popped. If we implement this mitigation,
maybe we won't get popped so easily. So it's, I wouldn't say they love it, but I think that
they definitely appreciate it. And most of our vendors, we have a very good relationship with,
so that they know that we're also a fair broker and we're not going to do
stuff just to make ourselves look good. And they know that overall their product's going to get
more secure. I think you can look at the contest too over the years too is that, you know, early
days in phone to own a lot of these vendors were not, you know, really enjoying being part of the
contest. But over the years, they've actually, you know, started to see the value. They've
actually started to sponsor the conference and they want to be more involved with the actual research community.
And as a result, you know, you're seeing a lot of these vendors kind of open up and use that data to actually improve things like the sandbox and the rendering engines inside of the browser.
So while initially Pwn2Own was just browsers, it's now expanded well beyond that.
Over the years, we've added applications and other technologies.
So it really kind of started with Flash and Java, which kind of makes sense because that's things that are occurring in the browser.
But then we ended up adding enterprise applications like Microsoft Office and Adobe Reader.
Phones at some point came into it as well with the BlackBerry and iPhones.
And then we really started focusing on the operating system and sandbox escapes.
In 2016, we introduced the virtualization category.
And then we added in 2018, IoT devices.
And in 2020, we even added a phone to own specifically for industrial control systems
and SCADA products.
So it's really grown over the years as it's formalized to really spread out and look at
a wide range of enterprise products, consumer products, and now ICS and SCADA products.
And this event has made quite a name for itself.
Vendors know exactly what day Pwned to Own is happening and sometimes push patches to
their products just before the event.
But I do wonder what vendors think when they get added to the list of targets and pwned
to own.
Like, do their eyes widen when they realize they're now going to be on the crosshairs
of the world's greatest hackers?
Yes, we've had vendors actually try to opt out of participating, but we let them know
that's not really an option.
But then by the end, they were actually enthusiastic. And like Ryan says, Microsoft is a co-sponsor of Pwn2Own, as VMware is too. Now, while Pwn2Own was always about testing
the security of browsers, one year they didn't allow testing in Firefox. Yes, there was one year
we did not include Firefox, primarily because they hadn't made any significant new security improvements over the year.
And at the time, they weren't even sandboxed.
Yeah, Firefox just wasn't updating the security of their browsers enough for ZDI to feel confident in testing it.
In fact, Brian was quoted saying, we wanted to focus on browsers that have made serious security improvements in the last year.
And when the Firefox CEO saw that, he tweeted, ouch, which I think was
quite embarrassing for them. But since then, Firefox has been included again, and they're
putting a lot of focus into securing their product. So as Pwn2Own continued and grew year after year,
it became more and more prestigious to be a prize winner from the contest. And in fact,
to make things even more prestigious, they started a thing called Master of Pwn. So in 2016, we created this title called Master of Pwn. And the way Pwn
to Own works logistically is at the beginning of the contest, everyone's name who's participating
goes into a hat. And we draw names out of the hat. And that's the order that you go. So we're
looking for the first win in a category. And that's the full that you go. So we're looking for the first win in a category
and that's the full winner.
Everything subsequent,
the prize money goes down for additional rounds.
So if a Chrome exploit is worth $75,000 in the first round,
it may only be worth $35,000 in the second round.
So there's a randomness of luck into the contest.
So you might end up with the best research, but if you have a bad draw, you get a lot less money.
So we introduced the concept of Master of Pwn to crown the overall winner.
Where, okay, that Chrome bug is going to be worth 10 points.
But it's worth 10 points the first round, the second round, the third round, and so on.
So if you've got the best research but have a bad draw, you could still be crowned the overall winner of Pwnedown,
Master of Pwnedown, if you end up with the most points.
So this is where it got really competitive.
What ended up happening is, in kind of the Pwnedown evolution,
is we started to experience more and more teams in the contest.
And the purpose of the team was to actually, you know,
try to land an exploit
in every category and try to accumulate enough points to win that master of pwn. And because,
you know, there's a lot of press and there's a lot of notoriety that goes along with the pwn to
own contest, companies started to form very large teams to actually compete against other companies.
And some of the top players in this space was two Chinese companies,
one Tencent and the other 360,
who developed really advanced and elite teams to participate in Pwn2Own.
And these teams would be large enough
where they would have individual researchers
looking at different subsystems to find bugs
and then would put them all together
to actually bring a large number of exploit chains
to the contest
so that they could make an attempt to win the Master of Pwn.
And between those two companies, it was quite competitive.
What ended up happening one year is that during our 10-year anniversary,
the two teams were very close to winning the actual Master of Pwn award,
and it came down to the rules in the contest.
So the rules in the contest require that you use a zero day and that it's down to the rules and the contests. And so the rules and the contests
require that you use a zero day and that it's unknown to the vendor. But occasionally there
can be collisions, we call them vulnerability collisions, where one researcher submits a
vulnerability and another researcher submits the same vulnerability and a collision occurs.
And as a result, the person who uses it first in the contest based off of the draw gets the points for that specific vulnerability.
So years prior, the collisions would occur and they would happen within the contest.
But what ended up happening as the competition for the master of Pwn became more and more important to these companies,
they would actually start researching, basically reverse engineering the other research team's
researchers, looking at how they would go about finding bugs and try to find the same bugs that
they were finding and submit them to the vendor prior to the contest.
So yeah, in 2017, the Chinese team from Tencent blocked the Chinese team called 360 by submitting
one of 360's bugs a few days earlier.
And that's just crazy to me.
Tencent didn't hack 360 directly, but instead studied how 360 went about finding bugs.
Like, I think what happened is someone from 360 gave a talk at a security conference explaining
how to look for bugs or something like that.
And someone from the rival team of Tencent was there and took notes and learned the technique and found bugs that 360
probably would have found. And so they told Google about this just to mess with 360 to keep them from
getting points for that bug. And that's wild. But this rivalry between Tencent and 360 goes way
beyond Pwn2Own. These two companies have been feuding over things for a long time. And they're And that's wild. But this rivalry between Tencent and 360 goes way beyond Poe & Own.
These two companies have been feuding over things for a long time,
and they're not just fighting over who's the master of Poe & Own.
So the title comes with a trophy that's very important to them as well.
And it usually comes with a jacket.
We have a lot of fun with the various jackets that we've had over the years.
We've had a smoking jacket.
The 10th anniversary, we had a custom bomber jacket made up.
It was really cool.
This year, we have a custom hazmat suit for the Master of Pwn winner.
But really, it's the notoriety that they're looking for.
That title of Master of Pwn, especially in certain communities,
it's really well respected.
Okay, so this Team 360, the same year they were getting blocked by Tencent,
was the same year VMware made its debut at Pwn to Own.
Now, if you aren't aware, VMware is a way to run multiple virtual servers on one computer.
So like years ago, you might have one mail server and one domain server and one
web server, and each one of these were on their own physical computer in a data center somewhere.
But with VMware, there's now one physical server with many virtual servers inside it,
all separated into their own container, and they can all share the same hardware resources. So it's
important to test VMware for security holes since it runs all these different operating
systems.
So the way Pwn2Own set up the contest was they installed the latest version of Windows,
then installed the latest version of VMware Workstation, and in that VMware Workstation
they installed another latest version of Windows.
And from the virtual Windows computer, they loaded up the Edge browser and went to 360's
website. And then that's all you had to do. At that point, we took our hands off the computer
and watched the exploit work effectively. So what was happening behind the scenes is
they were abusing a vulnerability in the browser that would allow them to get an exploit primitive
that would allow them to do an out-of-bound write and an out-of-bound read. And that would allow them to get an exploit primitive that would allow them to do
an out-of-bound write and an out-of-bound read. And this would allow them to exploit the browser.
And then they started to attack the Windows kernel because the vulnerability in VMware
that they needed to access was one that required an escalation of privilege. They need to be running an escalation to get access to that drive.
Once they exploited the operating system, the guest operating system,
they started attacking the VGA driver of VMware workstation.
And once they finished exploiting the VGA driver in VMware,
the screen in the guest operating system would resize and then
a calculator would pop up. Now that calculator would normally be in the guest operating system,
but in this case, that calculator was actually running on the host operating system.
So they were actually able to get code execution in the browser, then get code execution on the
guest operating system, then exploit a
vulnerability in the VGA driver in VMware Workstation, which would allow them to escape
the VMware Workstation hypervisor and execute code on the host operating system to completely
compromise the actual host operating system. Wow, that is so incredible to me. That's honestly one of the most astounding hacks I've ever heard of.
You should not be able to take control over a computer by just browsing to a website.
That alone is still blowing my mind that teams are able to do that at Pwn2Own practically every year.
But then escape out of the virtual computer and get full access to the host computer, that's just insane because the guest operating system
should absolutely have no way to access the host's operating system. Like for instance,
I've seen honeypots ran from within VMs and I've seen people using VMs to open malware or phishing
emails or browse to shady sites because what's the worst that could happen the vm could be infected but
that's easy to delete and create a new one but now now we see 360 demonstrate that no it is possible
to escape out of a virtual machine and get access to the host computer oh that just sends chills
through me it was it was crazy to watch.
The first time I saw it, I was amazed to see how efficient it was
and how amazing the actual exploit was.
And I remember it took quite a bit of time.
It took, I think, a minute or two to actually pull off
because there was a lot of activity going on in the exploit.
But when it popped calc on the host, everybody cheered and was quite excited to
see that actually happen live in front of everybody. 360 won $105,000 for demonstrating
that attack chain. There's so many incredible exploits that get demonstrated at Pwn2Own.
I am fascinated by so many. Like for instance, George Hatz has competed in this and
walked away with prize money multiple times. He's the guy who jailbroke the first iPhone,
modified the PlayStation, which caused a crazy lawsuit, and is a member of the PPPCTF team,
which has won like six black badges at DEF CON now, and has created a company which develops
software for self-driving cars.
And there's another team I think is worth mentioning.
It's called Fluoracitate.
Yeah, that's their team name.
And it's actually a pun because it's based off of a pesticide.
So they're bug killers.
It's made up of two people, Richard Zhu and Amat Kama.
So they're definitely an interesting pair.
Amat is from Senegal, and then Richard lives in the U.S.
Before forming the team, they had both been going to Pwn2Own just as independent researchers.
In 2017, Richard Zhu brought an exploit for the Microsoft Edge browser to demonstrate.
So the Pwn2Own contest organizers used Microsoft Edge to browse to Richard's server, and that's it, hands off the keyboard.
And from there, Richard tried to use that session to take over that computer. But something went wrong on his
first attempt. The exploit didn't work. Now, contestants have five minutes to show their
exploit. And while up there on stage all alone, Richard began typing, fixing his exploit on the
timer. He said, OK, try again. And so the contest organizers tried again.
They went to his website.
He tried to exploit the browser, but it didn't work again.
There was still time on the clock.
So Richard went back to troubleshooting,
trying to get the exploit to reliably trigger.
And I remember his hands were shaking quite a bit
as we got closer to the end of the clock.
Can you imagine?
You're at the yearly Pwn2Own.
Everyone is watching to see if you've got what it takes
and you're trying to type and debug code
live in front of people.
It's gotta be nerve wracking.
But he got something ready
and he asked them to try again.
And this time it worked.
He was able to take control of that session
and open a calculator on the computer
that went to his web server.
And he still had one minute and 37 seconds left on the clock when it was over.
He won $70,000 for that exploit.
So that's who Richard is.
The other guy on this team is Amat.
Amat's specialty was actually was baseband exploitation.
Baseband is a technology that mobile phones use.
It's a type of signal with a specific frequency range.
And if you think about all the different wireless signals coming in and out of your phone,
there's Wi-Fi, of course, there's Bluetooth and NFC.
And to make calls, it uses baseband.
And so what he is very good at is actually exploiting the baseband processor in the phones.
So Pwn2O now has a baseband category for people who want to try to hack phones through this wireless signal.
And here's the scenario. Your phone tries to connect to the nearest base station to get a
signal from the carrier. But suppose someone pulls up with a van right outside your house,
and in that van is a rogue base station acting like a carrier cell tower. Well, your phone might
connect to that base station. And the question is, if it does connect to a rogue cell tower. Well, your phone might connect to that base station. And the question is,
if it does connect to a rogue cell tower, what could that base station do to your phone?
Keep in mind, we're only talking about the base band frequency here, which is not the same as
TCP IP or whatever networking we all might be familiar with. And so this is what Amat was
researching for Pwn2Own. Well, there's a protocol that happens between the base station and the actual phone itself
for communication purposes. And then usually what ends up happening is Amat will have found
a weakness in the implementation of this protocol, and he'll exploit a vulnerability inside of the
process, inside of the baseband processor to gain code execution in that part of the phone.
So using just stack overflows
and some of the more classic vulnerabilities over time,
that's what we've seen a lot inside of the baseband processors.
Okay. So he earns money for that?
Yes, he does.
And from 2017 to 2019,
the Samsung Galaxy was part of the contest and was actually exploited by a baseband three years in a row.
And each of those was $50,000 plus.
Wow. I'm just glad that someone is there poking at the stuff.
There's so much technology integrated into our personal and private lives that we don't even realize is there.
And I sure hope it's all secure. And I guess we have Ahmaud to thank for finding vulnerabilities in the way some phones handle
the baseband processing and getting that stuff fixed.
But anyway, these two guys, Richard and Ahmaud, were really doing well at Pwn2Own on their
own, winning prize money year after year.
So they decided to team up and they called themselves Team Fluoracetate.
And from there, they just started dominating.
Well, they kind of take over Pondone for a couple of years. They really complement each other very
well with how they are able to research. And starting in about 2018, they took over Pondone,
Vancouver, as well as Pondone, Tokyo, and were definitely scoring more points than everyone else.
They're bringing a lot of great research to the contest and leaving with a lot of our cash.
All right. So Florescitate retrieved a deleted photo from an iPhone.
In this case, what we end up doing at the contest is we the way that you demonstrate the kind of code execution on a phone is we have you know sms messages and and photos on
the phone that we've taken um and so we usually take silly photos before we put the phone inside
of the rf enclosure and so there was a year where we we actually you know we deleted one of the
photos from the phone um because we did not want it uh you know it was not something we wanted to
show in front of the entire audience.
But what ended up happening is they actually exploited a vulnerability in the browser and retrieved the photo archive from the phone.
And the first photo that they pulled up was actually the photo that we had deleted.
And so it didn't show up on the phone as being actively there,
but it was clearly there still in the cache.
And so the exploit was
actually able to retrieve deleted content from the phone that just hadn't been removed by the cache
yet. Everyone was properly shocked by this. The Pwn2Own guys were like, how did they recover a
deleted photo? It's been deleted from the phone. But not only that, again, the simplicity of this
is just so stunning to me. Just by going to a malicious website is all the user had to do to get their phone completely
taken over. There's no need for the user to click install on something or accept any weird pop-up.
Just visiting a website was all it took. In 2019, we partnered with Tesla to have a Model 3 available to hack at Pondone. And as part of that, we got different
head units from Tesla and we shipped them around the world to various researchers, including Richard
and Amat. Okay, so the head unit is just the electronics inside the car, the infotainment
system on the front dashboard, really, because that head unit can basically control the whole car.
So if you can exploit that, you can pretty much take over the whole car.
So they ship these head units out to some of the contestants,
like Richard and Ahmaud, to try to hack into it.
Ahmaud forgot that Senegal runs its electricity different than California.
So he plugged it into a 220 outlet when it was set to 110,
and it immediately fried the head unit.
Oh, man. Ouch.
But he got a new power brick, and he was lucky that was the only thing that got fried.
So once they had the Tesla head unit all back together, they started hacking away at it,
and they found an exploit.
And they brought their exploit to the Pwn2Own event,
where there was a complete Tesla Model 3 in the parking lot.
Inside the Tesla, on the dashboard, is a little computer with a touchscreen and everything. And on that is a web browser. So from that web browser,
they visited Team Fluoracetate's website and they were able to exploit that session
and take over the Tesla. And that was enough for them to win a Tesla Model 3.
Ah, of course they got to keep the car. It's pwn to own. If you pwn it, you own it, remember?
Ah, this contest is cool.
And it really brings out some crazy bugs that should have absolutely been fixed.
So from my perspective, one of the things I like about the contest is it really allows us to guide
researchers in specific areas. And what usually happens is we're sitting around just trying to
come up with what categories we want to see really cool research in. And then we include that in
Pwn2Own.
And then hopefully that encourages researchers to do research in that area
and then report those bugs.
That's kind of how we came up with the virtualization category
is we just said we want to see VMware bugs
and we weren't getting any in the program.
And then we started getting VMware bugs.
And now we get quite a few, starting with just a couple in 2017.
So that to me is a great value to the program as well.
Yeah, it's quite fun.
I think, you know, from my perspective, like, you know, I've been involved with it now for quite a bit of time.
And you really get to see the kind of change in the way that the community approaches the problem of exploitation.
You know, back when I first started, it was, you know, small teams, individuals participating in the program.
And then small companies got involved, like Vupin, where they would actually have like, you know, a workforce that was developing exploits for the contest.
And then very large organizations, you know, some of the biggest companies in China participating at a large scale, bringing exploits for every single category, every single target.
And then it's shifting back to the, you know, small,
you know, individual researchers again, you know, and the fact that it is possible to write some of
these exploits and research these attack surfaces as an individual, I think is important for people
to see. And then now, you know, again, we've got, you know, small teams starting to participate
again. So while Pwn2Own is not really a spectator sport, it's still an exciting contest. They don't really
show anything to the audience because they need to verify the exploit before giving points,
and they don't want other teams to see how it was done. So there's not much to see if you go.
But what happens in the wires is where the exciting part happens. And the people who compete in it,
yeah, I'm going to say this is the big leagues.
It's a place to demonstrate that you're one of the top tier hackers in the world.
Which brings us back to Pedro and Radek, the two guys you heard at the beginning.
Together, they're known as Team Flashback.
And I had the chance to talk with them after they won the Masters of Pwn in November 2020.
Okay, so our team is called Flashback.
We just thought it was quite a cool name to have,
you know, and we just went with it
and also kind of related to hardware hacking,
which is pretty much what we do, right?
It's flashing something, you know,
so hence Flashback.
This is Pedro, but I've got to say
both Pedro and Radek do sound very similar to me.
So we met, actually the way we met was Radek hired me.
He hired me as an external consultant
for the company he was working at the time.
And we got along pretty well.
You know, fast forward, we like the same stuff.
So for example, we like motorbikes.
So we go on motorbike trips.
And this was 2018.
We decided that we want to do something
together when we were in one of these motorbike trips. And then the initial idea was for us to
provide some training, specialized training in this area. But then this opportunity of
phone to phone just appeared out of nowhere. And then I just remember Radek, I just suggested to him and from then on, it just caught fire, you know, and then we just decided to
go for all phone to owns we could. Okay, now hold on a second, doesn't work that way. Because
trying to find a zero day vulnerability in some of the most secure software, I mean,
the browsers are working really hard. I mean, you're going against Google
engineers here and Microsoft engineers to say, we think we can find something that you guys
overlooked. What gave you that confidence that you think you can find zero-day vulnerabilities?
Have you historically been good at finding these things or why this? So as Pedro mentioned, we know each other for some time already.
So when I hired Pedro for the project I was doing at the work, we team up pretty fast
together.
So we are starting to find wounds in the software for cloud, for network devices.
And it immediately clicked our personality
that we can work for efficient together
and find zero days or wounds super fast.
And yeah, if you look actually at our history
or achievements, so Pedro has like,
I don't know, what is it like,
over 100 RCs under his name.
I was a little bit staying in the shadows.
I didn't publish a lot due to the NDAs.
But I think we have quite a lot of achievements already this far.
RCE is remote code execution.
And yeah, Googling Pedro's name, I see a bunch of hits of vulnerabilities with his name on them.
Specifically vulnerabilities which allow him to execute remote commands on a device using an unknown vulnerability.
So for this team, they're both professionals in the security field who like looking for
vulnerabilities in products. So yeah, we had some experience. Like you said, we just clicked
together and then, yeah, we just, you know, it's a game of perseverance, right? Finding any
vulnerabilities is all about
perseverance. I mean, how hard and how deep you want to go and what kind of patience you have,
because it really tests your patience. What they like poking at most are hardware devices like
routers that you would find in your house. These are physical devices, yes, but they have software
running on them too. So this combination of how the software interacts with the hardware is where they're looking
for vulnerabilities.
So for us, the approach is, well,
we both work together on the target.
We are in different time zones,
so we can kind of split the work.
And that works super good because when I wake up,
I got some results from Pedro that he takes over
and so on, or I think over.
So that works pretty good. from Pedro that he takes over and so on, or I think over.
So that works pretty good.
Are you both hammering away or trying to do the same kind of thing?
Or is somebody good at networking while the other one's good at reverse engineering?
Or what are your strong points as a team here?
So we have a lot of overlaps in terms of finding wounds or exploitation, but obviously one and the other had a bit more edge on specific aspects.
So for instance, I am a little bit better in the hardware side,
so taking the firmware from the devices and doing some hardware modification,
while Pedro is better in writing exploits.
So while we both could do the same,
it's just way much faster and efficient
if you focus on the areas that you are better in.
Still, when we always work on a target,
we always work together.
So we never like to do disconnected activities.
We always go through it together.
We do the attack reconnaissance,
the attack back tours, and so on.
So we always are in sync full time.
So the goal is always to achieve remote code execution.
In our jobs, we kind of do a little bit different role, right?
Because we're more on the defensive side or offensive, but to try to help companies.
So we basically catalog all the vulnerabilities we found.
It can be some file disclosure,
some unauthenticated download, etc.
But for point one, really, all we care is
get control of the device,
gain remote code execution by whatever means possible.
And sometimes those means can be quite simple in some cases,
and other times can be very convoluted, very
complicated with exploits, chaining five and six exploits into one in order to get this
remote code execution.
One of the vulnerabilities they found was on a normal off-the-shelf home router.
They got one and looked inside at the software and they saw what services were running
on this router and started scrutinizing each service to see if any of them had a vulnerability.
And after a week, they had developed a fully functional remote code execution. And so here's
how that works. These routers sit in our homes, okay? One side is connected to all the computers
inside the home and the other side is connected to the internet, your ISP.
They found a way to craft a packet in such a way
that the router would process it
and then execute whatever commands were in that payload.
But in this case, it was quite tricky
because we could only really inject one or two characters at a time.
So what we did is we basically wrote a file to the operating system
by exploiting the vulnerability multiple times,
injecting one character at a time until we built the command we wanted.
And then we just executed that file.
And that's how we got our root shell.
When they were able to conduct this exploit for the first time, it was quite exciting.
Oh, yeah. This is, you know, the best feeling in the world, you can say.
People might think that the more exploits you develop and you have,
it's kind of normal.
But for me at least, and I see about Pedro as well,
every single time we got a new exploit, a new RC,
it feels like a fresh, completely new experience.
You're super hyped and super happy that you finally got it.
And you feel like you walk elevated and you just don't want to stop.
That's a super big... Yeah, you giggle like a schoolgirl, really.
Yeah.
This is such a scary exploit.
Anyone on the internet who has this exploit can send some packets to your router and get a root shell from that.
And a root shell means you can do anything you want on that router, including looking at all traffic coming in and out of your home.
This is the kind of exploit that governments and mercenary hackers would love to get their hands on.
But Team Flashback is not interested in selling their vulnerabilities to people like that.
Well, in the first place,
we wanted to participate in POM2OM.
So we were going after the targets
which were on the list for POM2OM.
So we were playing by the rules.
Of course, we could sell it to the broker or somebody,
but we believe that was the best way forward for us
to participate in Pwn2Home.
And yeah, I think these are pretty dangerous exploits,
especially the one side.
So that means that NSA or any malicious actor
has some capabilities,
could hack any router of this type, the home user.
And actually two of our exploits were delivering the per month backdoor.
So once you exploit it, the user is not even aware of the exploit being planted,
the backdoor being planted on their device,
which actually survives factory set.
So it will stay there forever until we
hack it back.
Wow.
Okay.
Yeah.
I mean, you want to do Pwn1 because you
want to prove you're the masters of
Pwn and the best hackers in the world.
That was our goal.
Yeah.
Yeah. Yeah.
I mean, it's all about motivation, right?
Our motivation is not money.
You know, we can tell this, right?
I'm talking for myself, but I know Radek thinks the same.
So we could make a lot more money selling this in the gray market.
So you said you're not motivated by money.
What are you motivated by? I think in my particular case, it's not as much fame, but it's more like respect, right?
So I really love hacking. As I said, I spend all my waking hours doing it, basically.
And, you know, when you love something, you want to be respected by your peers, right?
It doesn't mean that I have to be the best guy ever
or that people have to fawn over me.
That's not what I'm looking after.
I'm looking to be respected by the same people that you respect.
I think everyone in every field, not just in cybersecurity,
that's what they really aim for.
And this is the way to do it.
And honestly, obviously, money also plays a role.
But in the end, you know, I got my other job and Radical's got his other job that gives money.
And the Ponto on prizes are not bad at all.
You know, yeah, we could get more in the gray market, but it's just not worth not having the fame and the respect we can get from Pwn2Own. So together, Team Flashback has brought 11 working zero-day exploits
to three different Pwn2Own events
and have taken money home from each event.
And in the November 2020 Pwn2Own, they won Masters of Pwn.
Well, in total, I think that was 50k for 2019 Tokyo.
55.
55.
Then 75K for Miami in January.
That was industrial control systems hacking.
And now, was it 40, Pedro?
40 plus the bonus, I think.
Yeah, plus the bonus, 25K.
So it was around 200K in a year,
which is pretty good, even if divided by two.
Yeah, you could live off that.
That's only our side job for the weekends.
Well, I wish, because actually it consumes
months, but yeah. But it was worth it.
You know, again, the motivation is not money,
right? But it's always
good to also have a bit in your pocket.
Now, it's common to experience something
weird when competing at Pwn2Own, and
Team Flashback had something weird happen to them, too.
In 2020, they brought six working vulnerabilities to the competition, but were only able to execute
four of them. Two of them were mysteriously patched just days before the event. They don't
know why. Maybe the vendor found it. Maybe another team submitted it ahead of time.
Who knows if something shady went on. Yeah, there's a lot of dirty tricks in the history of ZDI. This is a well-known thing.
And from what we heard,
unofficially from the ZDI guys,
this is quite common
or used to be quite common
because there's the thing,
you know, there's been a shift
in the last few years.
So in the beginning,
Pwn2Own was mostly
independent researchers
and independent teams like us.
Then it shifted to company supported.
So, for example, Tencent and 360, they're blocked by the Chinese government to participate in Pong Tuong.
But they have their own Chinese Pong Tuong.
And if you look, they have amazing results.
I mean, let's be honest, way better than us.
But these guys, they're like basically 20.
You know, the winning team in the Chinese Pond Tournament this year, it had 19 people.
That plus corporate backing, you can't really beat us in independence.
The good side of, you know, the Chinese not being allowed to participate in the competition
is that we're back again to independent researchers.
I'd say 50-50. You got company teams, but they're a little bit smaller're back again to independent researchers. I'd say 50-50.
You got company teams,
but they're a little bit smaller
and the rest are independent researchers
like myself and Radek.
Yeah.
In 2018, the Chinese government wrote a new policy
to discourage security researchers
from participating in sharing exploits
at foreign hacking competitions
like Pwn2Own or even CTFs.
I guess they want to keep the exploits within China and not share themOwn or even CTFs. I guess they want to keep the exploits
within China and not share them. Oh yeah, CTFs. This is a totally different kind of hacker contest.
It's called Capture the Flag. And if you want to know more about this, check out episode 43 called
PPP. And actually in that episode, I said whoever wins DEF CON's Capture the Flag contest can
rightly claim to be the best hackers in the world. But I'm starting to think that Pwned Own is right up there too as being one of the most prestigious
hacking events. I'm pretty sure it's one of the highest paying hacker contests too. But like these
guys said, there are certainly better hackers out there. They're just in the shadows. But it makes
you think about how precious a zero-day exploit is. Together, Radek and Pedro have found over 200 zero-day exploits
which can do remote code execution,
while other governments and mercenary hacker groups out there
are buying exploits and holding on to them tight,
treating them as precious, expensive, top-secret tools.
So what does that say about hackers who have so many zero-days
that have no problem demonstrating
them at contests versus hackers who would never share their zero days with others?
I don't know, actually.
But I do get worried sometimes that zero-day hacking tools are sometimes only available
for the elite or rich to buy and are used for nefarious reasons.
And something like a ZDI is out there trying to level
that playing field, making those exploits no longer usable. Because we're all patching our
routers and computers and phones and software and operating systems, right? Because when we apply
patches to software, it fixes any vulnerabilities that that vendor knows about, rendering attacks like this
useless. So again, I'm urging you, patch your stuff. So guys, how did you celebrate when you
won Masters of Pwn? Well, you know, due to coronavirus, we can't celebrate together
unfortunately, but you know, I guess I got drunk that day.
I can tell that.
Yeah, definitely.
It is a good feeling.
So we are aiming for Masters of Pwn.
We are super happy it happened.
And I'm sure we're going to celebrate properly
when the coronavirus situation is over
and we can meet again.
Again, probably going to do some motorbike trip
and think about the future.
What the next project.
Yeah.
Have some more stuff.
A big thank you to Dustin Childs and Brian Goring from the Zero Day Initiative.
Thanks for all the contests you put together and the money you've paid out for this.
It really does help us all stay more secure.
2020 marks the 15th anniversary of ZDI, and it's still going strong and bigger than ever.
Can't wait to see what stories come out in the next 15 years.
Also, a big thank you to Pedro and Radek from Team Flashback.
Congrats on the win and good luck in your next contest.
If you like the show, if it brings value to you,
consider donating to it through Patreon.
When you buy a book or watch a movie,
you pay for it before you know if it's worth money.
But I give you this show without any upfront cost or barrier
so you can decide if it brings value to you
and is worth supporting.
Please show your appreciation for the show
by visiting patreon.com slash darknetdiaries
and become a member.
Thank you.
This show is made by me,
the master of nothing,
Jack Recider.
Editing help this episode by the little pony, Damien.
And our theme music is by the Saturn Ring Collector,
Breakmaster Cylinder.
And even though I pour gas on my firewall
whenever I really need to stoke that fire inside it,
this is Darknet Diaries.