Security researcher duo, known as Team Fluoroacetate, won the recently concluded hacking contest Pwn2Own held in Tokyo, Japan by the Zero Day Initiative, reported TechCrunch. Teammates Amat Cama and Richard Zhu successfully developed and implemented severe exploits for various devices, including an Amazon Echo. The two earned a total of $195,000 in cash prizes.
Cama and Zhu worked together to exploit bugs in different devices and won the highest title, Master of Pwn. To hack the most recent release of Alexa-powered Amazon Echo Show 5, the duo developed an integer overflow exploit. This enabled the researchers to fully control the device when connected to a compromised Wi-Fi network.
The vulnerability stemmed from the device’s use of an outdated version of Chromium, an open-source browser project by Google.
Their winning exploit involving Echo Show 5 resulted in Amazon’s discovery of the bug. In light of this, Amazon told TechCrunch that it was “investigating this research and will be taking appropriate steps to protect our devices on our investigation.”
However, the media outlet noted that the company did not outline what kind of measures it would take to address the issue and when a fix will be available.
Aside from the Alexa-powered unit, the Pwn2Own 2019 also featured other devices including Facebook Portal, the company’s smart display system and Sony’s X800G smart TV. Team Fluoroacetate successfully hacked Sony’s unit and Samsung Q60 smart TV, according to ThreatPost. The team won $15,000 and $20,000, respectively, for their feat.
Cama and Zhu also compromised Samsung’s flagship release, the Galaxy S10, earning $50,000. They found a second bug with the smartphone, resulting in a reward of $30,000. In addition, they exploited a vulnerability in the Xiaomi Mi9, getting $20,000 in cash prize.
None of the participating teams, including Team Fluoroacetate, were able to hack Facebook’s new system.
However, two other teams, F-Secure Labs and Team Flashback also dominated the contest. F-Secure Labs found and exploited several systems including the Xiaomi Mi9, a browser, and the TP-Link AC1750 Smart Wi-Fi. The team won $30,000 for the Mi9 bug and $20,000 each for the browser and router categories, amounting to $70,000.
Meanwhile, new contestant Team Flashback secured a total of $100,000 in cash prize for their exploits for the TP-Link browser and NETGEAR Nighthawk Smart WiFi Router.
The companies that produced the compromised devices have been notified by the organizers. They are given 90 days to develop fixed before the information is disclosed to the public.