Sony and Samsung connected TVs and Amazon Echo were hacked on the first day of the 2019 Pwn2Own Tokyo hacking contest.
The Amazon Echo speakers, Samsung and Sony smart TVs, the Xiaomi Mi9 phone, and the Netgear and TP-Link routers were hacked on the first day of the Pwn2Own hacking contest.
Pwn2Own: how does it work?
The Pwn2Own hacking contest took place last week in Tokyo, Japan. This is one of two Pwn2Own hacking competitions held each year.
The first is in the spring in North America and focuses solely on browser piracy, operating systems, server technology, and virtual machines.
The second, held every autumn in Tokyo, is focused on mobile technologies. Last year, it was the first time that Pwn2Own organizers were expanding the fall edition to include home automation devices as well.
The contest follows a set of simple rules. The organizers publish each year a list of targets for each of the two editions, months in advance. Security researchers who want to participate can look for vulnerabilities they might exploit during the competition for targeted devices.
Once the contest is launched, the rules are simple. Researchers choose a target device and deploy a feat. If the feat succeeds and takes control of the device, the researchers win a cash prize and points as part of a general ranking.
All bugs and exploits used during the competition are given to the organizers, who then communicate them to the respective sellers.
The concept is simple and has helped make Pwn2Own the hacker contest not to be missed in the world. The event often receives huge sponsors from vendors whose devices are listed as targets, and many companies send representatives to the competition to collect the bug reports in person and fix them in hours or days.
The Portal of Facebook holds the shock
Last year, at the first edition of Pwn2Own, to allow home automation devices, organizers let security researchers tackle the Apple Watch, Amazon Echo, Google Home, Amazon Cloud Cam and at Nest.
This year, all eyes were on Facebook’s portal automation system.
Launched in November 2018, just days after the last edition of Pwn2Own Tokyo 2018, the computer security community was waiting to see how the device would behave against the most successful hackers of the moment.
The answer came today when the contest organizers released the first day’s results and the day two hacking sessions.
The results? Nobody wanted to attack Portal or Google Home Assistant.
Security researchers have chosen the easiest targets, such as routers and connected TVs, known for their lower firmware than the one you would usually find on a smart speaker or home automation hub.
A smart speaker was nevertheless hacked by participants. However, these were not simple security researchers. It was the Fluoroacetate team, made up of Amat Cama and Richard Zhu, winner of the last two Pwn2Own competitions – in March 2019 and November 2018. The participants of this team are considered the best in the world.
The duo not only hacked Amazon Echo, it also managed to hack into Sony and Samsung connected TVs, as well as the Xiaomi Mi9 smartphone, taking a comfortable lead to win their third tournament in a row.