Facebook Portal survives Pwn2Own hacking contest, Amazon Echo got hacked

Amazon Echo, Samsung and Sony smart TVs fall on first day of Pwn2Own Tokyo 2019 hacking contest.

Amazon Echo Dot 3rd-gen

Facebook

Amazon Echo speakers, Samsung and Sony smart TVs, the Xiaomi Mi9 phone, and Netgear and TP-Link routers were hacked on the first day of the Pwn2Own hacking contest.

The second and final day will soon be underway, and it appears that Google Nest cameras and Facebook Portal hubs will survive this year's competition unscathed, as no security researchers announced plans to attempt an exploit later today.

Pwn2Own and how it works

The Pwn2Own hacking contest is being held this week in Tokyo, Japan. It is one of the two Pwn2Own hacking competitions held each year.

The first takes place in the spring in North America and focuses solely on hacking browsers, operating systems, server technology, and virtual machines.

The second, held each fall in Tokyo, focuses on mobile technologies, and last year was the first time that Pwn2Own organizers expanded the fall edition to also include smart home devices.

The contest goes by a simple set of laws. Organizers publish each year a list of targets for each of the two editions, months in advance.

Security researchers who want to participate spend their time probing targeted devices for vulnerabilities they could exploit during the competition.

Once the contest starts, the rules are simple. Researchers choose a target device and deploy an exploit. If the exploit succeeds and takes over the device, researchers win a money prize and points towards an overall ranking.

All the bugs and exploits used during the competition are handed over to organizers, who then report them to the respective vendors.

The concept is simple and is what helped make Pwn2Own the must-attend hacker contest in the world. The event often receives huge sponsorships from many of the vendors whose devices are listed as targets, and many companies send representatives to the competition to pick up bug reports in person and have them fixed within hours or days.

Facebook Portal survives

Last year, during the first Pwn2Own edition that allowed smart home devices, organizers let security researchers go after Apple Watch, Amazon Echo, Google Home, Amazon Cloud Cam, and Nest cams.

This year, the apple of everyone's eye was undoubtedly Facebook's Portal home automation system.

Launched in November 2018, just days after Pwn2Own Tokyo 2018 concluded, the infosec community has been waiting to see how the device would fare in the face of today's top hackers.

The answer arrived today when contest organizers published the first's day's results and the second day's upcoming hacking sessions.

The results? Nobody wanted a piece of the Facebook Portal, and nor did they want to hack Google's Home assistant.

Security researchers chose to go after the easier targets, like routers and smart TVs, known for running weaker firmware than what you'd usually find on a smart speaker or home automation hub.

However, in a surprising turn of events, one smart speaker did fall to hackers. However, these weren't just any security researchers. They were Team Fluoroacetate, made up of Amat Cama and Richard Zhu, the winners of the last two Pwn2Own competitions -- in March 2019 and November 2018 -- and currently considered some of the world's best hackers.

The duo didn't just hack the Amazon Echo, but they also successfully hacked Sony and Samsung smart TVs, and the Xiaomi Mi9 smartphone, taking a comfortable lead and are now expected to win their third tournament in a row.

Below is the list of this year's target devices, the results of the first day, and the schedule for the second day (which will update in the coming hours with the results as they come in).

This year's targets

Handsets:

-       Xiaomi Mi 9
-       Samsung Galaxy S10
-       Huawei P30
-       Google Pixel 3 XL
-       Apple iPhone XS Max
-       Oppo F11 Pro 

Wearables:

-       Apple Watch Series 4
-       Oculus Quest (64Gb)

Home Automation:

-       Portal from Facebook
-       Amazon Echo Show 5
-       Google Nest Hub Max
-       Amazon Cloud Cam Security Camera
-       Nest Cam IQ Indoor

Televisions:

-       Sony X800G Series - 43"
-       Samsung Q60 Series – 43"

Routers:

-       TP-Link AC1750 Smart WiFi Router
-       NETGEAR Nighthawk Smart WiFi Router (R6700)

Day One results

09:00 - Amat Cama and Richard Zhu (fluoroacetate) targeting the Sony X800G in the Television category

SUCCESS – The Fluoroacetate duo used a Javascript OOB Read bug to exploit the television's built-in web browser to get a bind shell from the TV. They earned $15K and 2 Master of Pwn points.


10:00 - Pedro Ribeiro and Radek Domanski (Team Flashback) targeting the NETGEAR Nighthawk Smart WiFi Router (R6700) (LAN interface) in the Router category

SUCCESS - The Flashback team used an auth bypass followed by a stack-based buffer overflow to get a shell on the router. They earned $5,000 and .5 points towards Master of Pwn.


11:00 - Amat Cama and Richard Zhu (fluoroacetate) targeting the Amazon Echo in Home Automation category

SUCCESS – The Fluoroacetate duo used an integer overflow in JavaScript to compromise the device and take control. They earned $60,000 USD and 6 more Master of Pwn points.


12:00 - Amat Cama and Richard Zhu (fluoroacetate) targeting the Samsung Q60 in the Television category

SUCCESS - Richard Zhu and Amat Cama continued their successful day by using an integer overflow in JavaScript to get a reverse shell from the Samsung Q60 television. They earned another $15,000 USD and 2 more Master of Pwn points.


13:00 - Amat Cama and Richard Zhu (fluoroacetate) targeting the Xiaomi Mi9 in the Web Browser category

SUCCESS - Amat Cama and Richard Zhu of Fluoroacetate used a JavaScript bug that jumped the stack to exfiltrate a picture from the Xiaomi Mi9. They earned $20,000 USD and 2 additional Master of Pwn points.


14:00 - Pedro Ribeiro and Radek Domanski (Team Flashback) targeting the NETGEAR Nighthawk Smart WiFi Router (R6700) (WAN interface) in the Router category

SUCCESS - The Flashback team of Pedro Ribeiro and Radek Domanski were able to remotely modify the router's firmware such that their payload persisted across a factory reset. They earned $20K and 1 more Master of Pwn point.


15:00 - Pedro Ribeiro and Radek Domanski (Team Flashback) targeting the TP-Link AC1750 Smart WiFi Router (LAN interface) in the Router category

SUCCESS - In their final attempt of the day, Pedro Ribeiro and Radek Domanski (Team Flashback) use a combination of 3 bugs starting witha command injection to get their code executing on the router. They earned $5,000 and .5 Master of Pwn points. That brings their one-day total to $30,000.


16:00 - Mark Barnes, Toby Drew, Max Van Amerongen, and James Loureiro (FSecureLabs) targeting the TP-Link AC1750 Smart WiFi Router (LAN interface) in the Router category

PARTIAL - In the first bug collision of this Pwn2Own, the successful attempt from F-SecureLabs turns out to have used some of the same bugs as a previous contestant. It still qualified as a partial win, but no Master of Pwn points are awarded.


17:00 - Amat Cama and Richard Zhu (fluoroacetate) targeting the Samsung Galaxy S10 in the Short Distance category

SUCCESS - The Fluoroacetate duo used a bug in JavaScript JIT followed by a Use After Free (UAF) to escape the sandbox to grab a picture off the Samsung Galaxy S10 via NFC. Their final entry for Day One earns them $30,000 and 3 Master of Pwn points.


18:00 - Mark Barnes, Toby Drew, Max Van Amerongen, and James Loureiro (FSecureLabs) targeting the Xiaomi Mi9 in the Web Browser category

PARTIAL - The F-Secure Labs team successfully chained a couple of logic bugs to exfiltrate a picture from the phone, however one of the bugs was known by the vendor. That makes it a partial win, but they still received $20,000 and 2 Master of Pwn points.

Day Two schedule

10:00 - Amat Cama and Richard Zhu (fluoroacetate) targeting the Oppo F11 Pro in the Baseband category

WITHDRAWN - The team has withdrawn this entry.


11:00 - Amat Cama and Richard Zhu (fluoroacetate) targeting the Samsung Galaxy S10 in the Baseband category

SUCCESS - The duo used a stack overflow to push their file on to the handset. The successful demonstration earned them $50,000 and 5 Master of Pwn points.


12:00 - Amat Cama and Richard Zhu (fluoroacetate) targeting the NETGEAR Nighthawk Smart WiFi Router R6700 (LAN interface) in the Router category

PARTIAL - Although the team had a successful demonstration, the auth bypass used had also been used by a previous contestant. This counts as a partial win.


13:00 - Pedro Ribeiro and Radek Domanski (Team Flashback) targeting the TP-Link AC1750 Smart WiFi Router (WAN interface) in the Router category

SUCCESS - The duo used a stack overflow combined with a logic bug to get code execution through the WAN port of the TP-Link AC1750. They earn $20,000 and one Master of Pwn point.


14:00 - Mark Barnes, Toby Drew, Max Van Amerongen, and James Loureiro (FSecureLabs) targeting the TP-Link AC1750 Smart WiFi Router (WAN interface) in the Router category

SUCCESS - The team from F-Secure combined a command injection bug along with some insecure settings to achieve their code execution via the WAN interface. The effort earns them $20,000 and one Master of Pwn point.


15:00 - Mark Barnes, Toby Drew, Max Van Amerongen, and James Loureiro (FSecureLabs) targeting the Xiaomi Mi9 NFC component in the Short Distance category

SUCCESS - The F-Secure crew used an cross-site scripting (XSS) bug in the NFC component of the Xiaomi Mi9 to exfiltrate data just by touching their specially made NFC tag. Their efforts earned them $30,000 and 3 more Master of Pwn points.


16:00 - Amat Cama and Richard Zhu (fluoroacetate) targeting the Samsung Galaxy S10 in the Web Browser category

PARTIAL - Richard and Amat used an integer overflow with a UAF to escape the sandbox, however the overflow had been used by a previous contestant. This counts as a partial win.