2007 The contest took place from Thursday, April 18 to Saturday, April 20, 2007, in Vancouver. In one night, Dai Zovi found and exploited a previously unknown vulnerability in a
QuickTime library loaded by Safari. The following morning, Dai Zovi sent his exploit code to Macaulay, who placed it on a website and e-mailed the contest organizers a link to it. When clicked, the link gave Macauley control of the laptop, winning the contest by proxy for Dai Zovi, who gave Macaulay the 15" MacBook Pro. Dai Zovi separately sold the vulnerability to ZDI for the $10,000 prize.
2008 Pwn2Own 2008 took place from Thursday, March 26 to Saturday, March 28, 2008. Dragos refined the contest with the help of a wide panel of industry experts and the contest was administered by ZDI, who would again offer to purchase the vulnerabilities after their demonstration. As with all the vulnerabilities that ZDI purchases, the details of the vulnerabilities used in Pwn2Own would be provided to the affected vendors and public details would be withheld until a
patch was made available. The laptop running Windows Vista SP1 was exploited on the third day of the contest with an exploit for
Adobe Flash co-written by Shane Macaulay,
Alexander Sotirov, and Derek Callaway. After the contest, Adobe disclosed that they had co-discovered the same vulnerability internally and had been working on a patch at the time of Pwn2Own. The laptop running
Ubuntu was not exploited.
2009 Pwn2Own 2009 took place over the three days of CanSecWest from Thursday, March 18 to Saturday, March 20, 2009. After having considerably more success targeting web browsers than any other category of software in 2007, the third Pwn2Own focused on popular browsers used on consumer desktop operating systems. It added another category of mobile devices which contestants were challenged to hack via many remote attack vectors including email, SMS messages, and website browsing. All contestants who demonstrated successful exploits at the contest were offered rewards for the underlying vulnerabilities by ZDI, $5,000 for browser exploits and $10,000 for mobile exploits. On day 1, contestants had to target functionality in the default browser without access to any plugins. On day 2, Adobe Flash, Java, Microsoft
.NET Framework, and QuickTime were included. On day 3, other popular third-party plugins were included like
Adobe Reader. Multiple winners per target were allowed, but only the first contestant to exploit each laptop would get it. Mobile device targets included
BlackBerry,
Android, Apple
iPhone 2.0 (
T-Mobile G1),
Symbian (Nokia
N95) and
Windows Mobile (
HTC Touch) phones in their default configurations. As with the browser contest, the attack surface available to contestants expanded over three days. In order to prove that they were able to successfully compromise the device, contestants had to demonstrate they could collect sensitive data from the mobile device or incur some type of financial loss from the mobile device owner. A researcher identified only as Nils was selected to go after Miller. Nils successfully ran an exploit against Internet Explorer 8 on Windows 7 Beta. In writing this exploit, Nils had to bypass anti-exploitation mitigations that Microsoft had implemented in Internet Explorer 8 and Windows 7, including
Data Execution Protection (DEP) and
Address Space Layout Randomization (ASLR). Nils continued trying the other browsers. Although Miller had already exploited Safari on OS X, Nils exploited this platform again, then moved on to exploit Firefox successfully. Near the end of the first day, Julien Tinnes and Sami Koivu (remote) successfully exploited Firefox and Safari on OS X with a vulnerability in Java. At the time, OS X had Java enabled by default, which allowed for reliable exploitation against that platform. However, due to having reported the vulnerabilities to the vendor already, Tinnes' participation fell outside the rules of the contest and was unable to be rewarded. The next days of the contest did not attract any additional contestants. Chrome, as well as all of the mobile devices, went unexploited in Pwn2Own 2009.
2010 The competition started on March 24, 2010, and had a total cash prize pool of US$100,000. Nine days before the contest was to begin, Apple released sixteen patches for
WebKit and Safari. Concerning software to exploit, $40,000 of the $100,000 was reserved for web browsers, where each target is worth $10,000. Among successful exploits were when
Charlie Miller hacked Safari 4 on Mac OS X. Nils hacked Firefox 3.6 on Windows 7
64-bit Ralf-Philipp Weinmann and Vincenzo Iozzo hacked the iPhone 3GS by bypassing the digital code signatures used on the iPhone to verify that the code in memory is from Apple. The web browser targets for the 2011 contest included Microsoft Internet Explorer, Apple Safari, Mozilla Firefox, and Google Chrome. New to the Pwn2Own contest was the fact that a new attack surface was allowed for penetrating
mobile phones, specifically over cellphone
basebands. The mobile phone targets were
Dell Venue Pro running
Windows Phone 7,
iPhone 4 running
iOS,
BlackBerry Torch 9800 running
BlackBerry OS 6.0, and
Nexus S running
Android 2.3. Several teams registered for the desktop browser contest. For Apple Safari, registered competitors included VUPEN, Anon_07, Team Anon, Charlie Miller. Mozilla Firefox included Sam Thomas and Anonymous_1. Microsoft Internet Explorer teams included Stephen Fewer, VUPEN, Sam Thomas, and Ahmed M Sleet. Google Chrome teams included Moatz Khader, Team Anon, and Ahmed M Sleet. For the
mobile browser category, the following teams registered. For the Apple iPhone hack attempt, teams included Anon_07, Dion Blazakis and Charlie Miller, Team Anon, Anonymous_1, and Ahmed M Sleet. To hack the RIM Blackberry the teams were Anonymous_1, Team Anon, and Ahmed M Sleet. To hack the
Samsung Nexus S, teams included
Jon Oberheide, Anonymous_1, Anon_07, and Team Anonymous. To hack the
Dell Venue Pro, teams included
George Hotz, Team Anonymous, Anonymous_1, and Ahmed M Sleet. During the first day of the competition, Safari and Internet Explorer were defeated by researchers. Safari was version 5.0.3 installed on a fully patched Mac OS X 10.6.6. French security firm
VUPEN was the first to attack the browser. Internet Explorer was a 32-bit version 8 installed on 64-bit Windows 7 Service Pack 1. Security researcher
Stephen Fewer of Harmony Security was successful in exploiting IE. This was demonstrated just as with Safari. In day 2 the
iPhone 4 and
Blackberry Torch 9800 were both exploited. The iPhone was running iOS 4.2.1; however, the flaw exists in version 4.3 of the iOS. Security researchers
Charlie Miller and Dion Blazakis were able to gain access to the iPhone's address book through a vulnerability in Mobile Safari by visiting their exploit-ridden webpage. The new format caused
Charlie Miller, successful at the event in past years, to decide not to attend, as it required "on-the-spot" writing of exploits that Miller argued favored larger teams. Hackers went against the four major browsers. Internet Explorer 9 on Windows 7 was successfully exploited next. Firefox was the third browser to be hacked using a
zero day exploit. Safari on Mac OS X Lion was the only browser left standing at the conclusion of the zero-day portion of Pwn2Own. Versions of Safari that were not fully patched and running on Mac OS X Snow Leopard were compromised during the CVE portion of Pwn2Own. Significant improvements in the security mitigations within Mac OS X were introduced in Lion.
Controversy with Google Google withdrew from sponsorship of the event because the 2012 rules did not require full disclosure of exploits from winners, specifically exploits to break out of a
sandboxed environment and demonstrated exploits that did not "win". Google issued a fix to Chrome users in less than 24 hours after the Pwnium exploits were demonstrated.
2013 In 2013, Google returned as a sponsor and the rules were changed to require full disclosure of exploits and techniques used. The Mobile Pwn2Own 2013 contest was held November 13–14, 2013, during the PacSec 2013 Conference in Tokyo. Adobe also joined the contest, adding Reader and Flash. The VUPEN team then exploited Mozilla Firefox, Adobe Flash, and Oracle Java. Pinkie Pie won $50,000, and Google released Chrome updates on November 14 to address the vulnerabilities exploited. Nils and Jon from MWRLabs were successful at exploiting Google Chrome using WebKit and Windows kernel flaws to bypass Chrome sandbox and won $100,000.
George Hotz exploited Adobe Acrobat Reader and escaped the sandbox to win $70,000. James Forshaw, Joshua Drake, and Ben Murphy independently exploited Oracle Java to win $20,000 each. The mobile contest saw contestants winning $117,500 out of a prize pool of $300,000.
2014 At Pwn2Own 2014 in March was held in Vancouver at the CanSecWest Conference and sponsored by
Hewlett-Packard. All four targeted browsers fell to researchers,
VUPEN successfully exploited fully updated
Internet Explorer 11,
Adobe Reader XI, Google Chrome, Adobe Flash, and Mozilla Firefox on a 64-bit version of
Windows 8.1, to win a total of $400,000—the highest payout to a single competitor to date. The company used a total of 11 distinct zero-day vulnerabilities. Among other successful exploits in 2014,
Internet Explorer 11 was exploited by Sebastian Apelt and Andreas Schmidt for a prize of $100,000. Mozilla Firefox was exploited three times on the first day, and once more on the second day, with HP awarding researchers $50,000 for each disclosed Firefox flaw that year. Both Vupen and an anonymous participant exploited Google Chrome. Vupen earned $100,000 for the crack, while the anonymous entrant had their prize of $60,000 reduced, as their attack relied on a vulnerability revealed the day before at Google's Pwnium contest. Also, Nico Joly of the VUPEN team took on the Windows Phone (the
Lumia 1520), but was unable to gain full control of the system. In 2014, Keen Lab hacked Windows 8.1 Adobe Flash in 16 seconds, as well as the OSX Mavericks Safari system in 20 seconds.
2015–2017 Every single prize available was claimed in 2015 in March in Vancouver, and all browsers were hacked for a total in $557,500 and other prizes. The top hacker proved to be Jung Hoon Lee, who took out "IE 11, both the stable and beta versions of Google Chrome, and Apple Safari" and earned $225,000 in prize money. Other hacks included Team509 and KeenTeem breaking into Adobe Flash, and other breaks in Adobe Reader. Overall, there were 5 bugs in the Windows operating system, 4 in Internet Explorer 11, 3 in Firefox, Adobe Reader, and Adobe Flash, 2 in Safari, and 1 in Chrome. Google ceased to be a sponsor of Pwn2Own in 2015. At the contest in March 2016, "each of the winning entries was able to avoid the sandboxing mitigations by leveraging vulnerabilities in the underlying OSs." In 2016, Chrome,
Microsoft Edge and Safari were all hacked. According to Brian Gorenc, manager of Vulnerability Research at
HPE, they had chosen not to include Firefox that year as they had "wanted to focus on the browsers that [had] made serious security improvements in the last year". After two days of competition, Tencent Security Team Sniper edged out JungHoon Lee with 13 more Pwn points and earning them the top Master of Pwn for Pwn2Own 2016 title. In 2017, Chrome did not have any successful hacks (although only one team attempted to target Chrome); the subsequent browsers that best fared were, in order, Firefox, Safari and Edge. Mobile Pwn2Own was held on November 1 and 2 in 2017. Various smartphones, including ones using Apple's iOS 11.1 software, were also successfully hacked. The "11 successful attacks" were against the iPhone 7, the
Huawei Mate 9 Pro and the
Samsung Galaxy S8.
Google Pixel was not hacked. Overall, ZDI that year awarded $833,000 to uncover 51 zero-day bugs.
2018 In 2018, the conference was much smaller and sponsored primarily by Microsoft. China had banned its security researchers from participating in the contest, despite Chinese nationals winning in the past, and banned divulging security vulnerabilities to foreigners. A
Tianfu Cup was subsequently designed to be a "Chinese version of Pwn2Own", also taking place twice a year. Also, shortly before the 2018 conference, Microsoft had patched several vulnerabilities in Edge, causing many teams to withdraw. Nevertheless, certain openings were found in Edge, Safari, Firefox and more. No hack attempts were made against Chrome, although the reward offered was the same as for Edge. Hackers were ultimately awarded $267,000. The team shared the findings with Amazon, which said it was investigating the hack and would take "appropriate steps." Contestants were awarded more than $250,000 over the three-day event as hackers demonstrated a multiple exploits in many leading ICS platforms. Steven Seeley and Chris Anastasio, a hacker duo calling themselves Team Incite, were awarded the title of Master of Pwn with winnings of $80,000 and 92.5 Master of Pwn points. Overall, the contest had 14 winning demonstrations, nine partial wins due to bug collisions, and two failed entries. The spring edition of Pwn2Own 2020 occurred on March 18–19, 2020. Tesla again returned as a sponsor and had a Model 3 as an available target. Due to
COVID-19, the conference moved to a virtual event. The Zero Day Initiative decided to allow remote participation. This allowed researchers to send their exploits to the program prior to the event. ZDI researchers then ran the exploits from their homes and recorded the screen as well as the Zoom call with the contestant. The contest saw six successful demonstrations and awarded $270,000 over the two-day event while purchasing 13 unique bugs in Adobe Reader, Apple Safari and macOS, Microsoft Windows, and Oracle VirtualBox. The duo of Amat Cama and Richard Zhu (Team Fluoroacetate) was crowned Master of Pwn with earnings of $90,000. The fall edition on Pwn2Own, normally referred to as Pwn2Own Tokyo, was held on November 5–7, 2020. With the lockdown from COVID-19 continuing, the contest was again held virtually and titled Pwn2Own Tokyo (Live From Toronto). ZDI researchers in Toronto ran the event, with others connecting from home. The event had eight winning entries, nine partial wins due to bug collisions, and two failed attempts. Prizes totalling $136,500 were awarded for 23 unique bugs. The Flashback Team (Pedro Ribeiro and Radek Domanski) earned the Master of Pwn title for their Wide Area Network (WAN) router exploits.
2021 On April 6–8, 2021, the Pwn2Own contest took place in Austin and virtually. This year's event expanded by adding the Enterprise Communications category, which includes Microsoft Teams and Zoom Messenger. The first day of the contest saw Apple Safari, Microsoft Exchange, Microsoft Teams, Windows 10, and Ubuntu all compromised. Zoom Messenger was compromised on the second day of the contest with a zero-click exploit. Parallels Desktop, Google Chrome, and Microsoft Edge were also successfully exploited during the contest. Over US$1,200,000 was awarded for 23 unique 0-days. Master of Pwn was a three-way tie between Team DEVCORE, OV, and the team of Daan Keuper and Thijs Alkemade.
2022 Miami (April 19–21) The second edition of Pwn2Own Miami occurred April 19–21, 2022, at the Filmore in South Beach Miami. $400,000 in prize money was awarded. The team of Daan Keuper and Thijs Alkemade from Computest Sector 7 were awarded Master of Pwn with earnings of $90,000.
Vancouver (May 18–20) Pwn2Own returned to Vancouver on May 18–20, 2022, to celebrate the 15th anniversary of the contest. Over the three-day event, the ZDI awarded US$1,155,000 for 25 unique 0-day vulnerabilities. Day One of the contest set a single-day contest record of US$800,000 awarded for various exploits, including three separate Microsoft Teams demonstrations. One of these exploits required no user interaction and could be used to compromise an entire organization. Also demonstrated were successful demonstrations against the Mozilla Firefox and Apple Safari web browsers. Day Two of the contest was highlighted by a remote exploit of the Tesla Infotainment system. Researchers from the Synacktiv Team were able to remotely start the windshield wipers, open the trunk, and flash the headlights of the vehicle. The event's final day saw three of the six Windows 11 privilege escalations successfully demonstrated. All six of these exploits used unique bugs. Samsung's flagship phone, the Galaxy S22, running the latest Android 13, was hacked in less than a minute. Once all the points were totaled, the STAR Labs team was awarded the title of Master of Pwn with $270,000 and 27 points.
Toronto (December 6–9) == See also ==