Announcing Pwn2Own Ireland – Bringing Pwn2Own (and WhatsApp) to the Emerald Isle

If you just want to read the rules, you can find them here.

Over the last few years, our consumer-focused Pwn2Own event took place in the Trend Micro office in Toronto. However, that office closed, so we needed to find a new home. This isn’t unusual for this event, as it moved from Amsterdam to Tokyo to Austin to Toronto. We’re moving again. This year, we are heading to our offices in Cork, Ireland! We’re excited about our new location, and I personally have viewed several locations for after-hours and special events. Some of those will be secret until the competition, but I can tell you that our awards ceremony and end-of-contest party will be held at the historic Cork City Goal. It promises to be a fun and spooky event, and we’ll have more details about that in the future.

Beyond our new location, we’re excited to announce Meta has joined as a sponsor of this event and will participate in the new Messenger App category. That’s right – WhatsApp will be a target, with both 0-click and 1-click exploits being in scope. We’re offering $300,000 USD for a 0-click, so we hope to see some great research on an application used by millions. We’re also excited to announce the return of Synology as a co-sponsor of the event and QNAP joins them as a co-sponsor.

The Messenger App category isn’t the only exciting thing heading to Ireland. This will be our first competition to feature AI-enabled devices. Both the Samsung and Google phones include Galaxy AI and Google AI respectively. Multiple Synology devices use AI for tasks such as people and vehicle recognition on the cameras and AI-driven photo albums on their NAS devices. The Ubiquiti camera also uses AI for greater detection precision and range. There’s no special bonus for exploiting an AI feature, but it will be interesting to see if AI helps or hurts exploit attempts.

Last year’s favorite category was the “SOHO Smashup”, and it returns for another year. This category challenges contestants by having them start by exploiting the external interface of a router, compromise the router, and then pivot to another device connected to the network. In the Toronto event last year, several teams had winning entries in this category. It’s always amazing to watch the researchers as they pivot through multiple attack surfaces to hit their final goal. We’re also bringing wired and wireless cameras back into the contest under the surveillance category. Last year, we awarded $1,038,500 during the event for 58 unique 0-days. It will be interesting to see if the luck of the Irish will take that number up or down.

As for the contest itself, it will run from October 22-25, 2024. As always, we’ll have a random drawing to determine the schedule of attempts on the first day of the contest, and we will proceed from there. Registration closes at 5:00 p.m. Irish Standard Time on Oct 17th, 2024. There are no exceptions for late entries, so if you have questions, please contact us at pwn2own@trendmicro.com (note the new address). We will be happy to address your issues or concerns directly.

Now on to the specific target categories. We’ll have seven different categories for this year’s event:

Back in Amsterdam where this contest originated, it was originally dubbed “Mobile Pwn2Own” and our focus was strictly on phones. Mobile handsets remain at the heart of this event, and some of the Samsung entries from last year were absolutely smashing. As always, these phones will be running the latest version of their respective operating systems with all available updates installed. You may notice there are no Xiaomi devices in this year’s event. That’s because, during the contest last year, they took measures to ensure attempts would fail. They didn’t seem to mind that those measures impacted all of their users globally. While we do encourage shenanigans, that’s a bit too far to be considered fair. Thus, they are not returning. If you want more details about what happened, be sure to check out Ken Gannon and Ilyes Beghdadi’s upcoming DEFCON talk about the subject.

In this category, contestants must compromise the device by browsing to content in the default browser for the target under test or by communicating with the following short-distance protocols: near field communication (NFC), Wi-Fi, or Bluetooth. The awards for this category are:

The Google and Apple devices in this category also include an add-on bonus. If your exploit payload executes with kernel-level privileges, you earn an additional $50,000 and 5 more Master of Pwn points. That means a full exploit chain that includes kernel-level access on the iPhone or Pixel will earn $300,000 and 30 Master of Pwn points.

Almost everyone uses some messenger app in their daily lives, and these apps have been the target of sophisticated threats in the past. We’re excited that Meta has agreed to sponsor this event and are hopeful that one (or more) of our contestants will demonstrate a WhatsApp exploit. Both 0-click and 1-click exploits are in scope. All valid submissions must use vulnerabilities reachable via WhatsApp and must not depend on other applications. All WhatsApp entries will be run on a Google Pixel 8.

The proliferation of WFH resulted in many enterprises finding their network perimeter relocated to the home office. Threat actors exploiting home routers and consumer devices can use these as a launch point for lateral movements into enterprise resources. We wanted to demonstrate this during the contest, which means the SOHO Smashup category continues to be relevant. Contestants will need to first compromise the WAN port on a selected router. Once they accomplish that not-so-insignificant feat, they will need to pivot to one of the other devices and compromise it as well. The contestant is free to select any combination of router and home automation hub, smart speaker, printer, or network-attached storage device during the registration process – although you won’t have some of the same easy targets as last year. If they get both devices within 30 minutes, they earn $100,000 and 10 Master of Pwn points.

Last year, we introduced this category not knowing what to expect. As usual, our contestants did not disappoint as they unleashed some fantastic exploits – including taking over a camera just by showing it a QR code. Cameras continue to be a part of daily life, and we can’t wait to see what research is put on display this year. An attempt in this category must be launched against the target’s exposed network services or the target’s exposed features from the contestant’s laptop within the contest network.

Many of the cameras and other “smart” devices are connected to a centralized hub. From lights to locks to thermostats, cameras, and more, all can be accessed through a home automation hub. Of course, that means a threat actor could potentially access them as well. This year, we’re introducing the AeoTec Smart Home Hub in this category, so we’ll see if our contestants take a run at it. Here are the targets in the Home Automation category:

Printers have long been the source of jokes and memes, but they are also an often overlooked attack surface in your office. The printer category always produces some interesting results, often by playing music it shouldn’t or the occasional Rick Roll. It will be interesting to see what exploits the contestants come up with this year.

Smart speakers continue to play a large part in our daily interactions with music, news, and more. They also offer an attack surface for threat actors to target. For this event, Pwn2Own Ireland has three targets available in this category.

NAS devices make their return to Pwn2Own. This year, QNAP and TrueNAS enter as targets alongside the returning Synology devices. An attempt in this category must be launched against the target’s exposed network services from the contestant’s laptop within the contest network. For the Synology DiskStation target, we’ll have several packages enabled and in scope. These packages are as follows:

— MailPlus
— Drive
— Virtual Machine Manager
— Snapshot Replication
— Surveillance Station
— Photos

Here’s the full table of targets in the NAS category for 2024:

Master of Pwn

No Pwn2Own contest would be complete without crowning a Master of Pwn, which signifies the overall winner of the competition. Earning the title results in a slick trophy, a different sort of wearable, and brings with it an additional 65,000 ZDI reward points (instant Platinum status in 2025).

For those not familiar with how it works, points are accumulated for each successful attempt. While only the first demonstration in a category wins the full cash award, each successful entry claims the full number of Master of Pwn points. Since the order of attempts is determined by a random draw, those who receive later slots can still claim the Master of Pwn title – even if they earn a lower cash payout. As with previous contests, there are penalties for withdrawing from an attempt once you register for it. If the contestant decides to remove an Add-on Bonus during their attempt, the Master of Pwn points for that Add-on Bonus will be deducted from the final point total for that attempt. For example, someone registers for the Apple iPhone 15 with the Kernel Bonus Add-on. During the attempt, the contestant drops the Kernel Bonus Add-on but completes the attempt. The final point total will be 20 Master of Pwn points.

The Complete Details

The full set of rules for Pwn2Own Ireland 2024 can be found here. They may be changed at any time without notice. We highly encourage potential entrants to read the rules thoroughly and completely should they choose to participate. We also encourage contestants to read this blog covering what to expect when participating in Pwn2Own.

Registration is required to ensure we have sufficient resources on hand at the event. Please contact ZDI at pwn2own@trendmicro.com to begin the registration process. (Email only, please; queries via social media, blog post, or other means will not be acknowledged or answered.) If we receive more than one registration for any category, we’ll hold a random drawing to determine the contest order. Registration closes at 5:00 p.m. Irish Standard Time on Oct 17th, 2024.

The Results

We’ll be blogging and tweeting results in real time throughout the competition. Be sure to keep an eye on the blog for the latest information. Follow us on Twitter at @thezdi and @trendmicro, and keep an eye on the #P2OIreland hashtag for continuing coverage.

We look forward to seeing everyone in Cork, and we look forward to seeing what new exploits and attack techniques they bring with them.

With special thanks to our Pwn2Own Ireland partner Meta and our co-sponsors, Synology and QNAP, for providing their assistance and technology.

©2024 Trend Micro Incorporated. All rights reserved. PWN2OWN, ZERO DAY INITIATIVE, ZDI, and Trend Micro are trademarks or registered trademarks of Trend Micro Incorporated. All other trademarks and trade names are the property of their respective owners.