It’s easy to think of
hackers in the colloquial sense as being the enemies of society. People who break into computer systems and sabotage electronics to gain control of them or steal data; how could someone like that be of benefit to society at large? The answer is that a great many so-called “hackers” are in fact
security experts who know from experience where to look for security holes, and are also often consulted for help in closing them.
These “white hat” hackers hunt for security holes and application exploits, then report them to vendors to claim bug bounties, but some vendors are either unwilling to pay for such services or are simply difficult to contact. Back in 2005, Trend Micro set up the Zero Day Initiative for exactly that reason. It’s a group that works with security researchers to identify “zero-day” vulnerabilities in tech products and then act as an intermediary with the vendors to see them fixed.
The Zero Day Initiative sponsors multiple yearly events called Pwn2Own, where hackers gather to make time-limited attempts to exploit specific products. This year’s event in Austin was the largest-ever, with 58 total entries from 22 different security teams. Contestants have 30 minutes to deploy their exploit and gain unapproved privileges, remote code execution, or other unauthorized access to their targets.
The Initiative has a list up
on its blog of all of the entries and their results, and there’s some good stuff in there, but by far the most entertaining result has to be F-Secure Labs’ 11:00 submission on Thursday where the three experts hacked an HP Color Laserjet Pro MFP M283fdw and turned it into a jukebox, playing AC/DC’s “Thunderstruck” through its tiny (and tinny) speaker. You can see/hear a brief clip of that in action, in the tweet below…
Other targeted devices at this year’s Pwn2Own event include NAS devices from WD, routers and home gateways from Netgear, Cisco, and TP-Link, printers from Canon and Lexmark, the Sonos One speaker, and notably, Samsung’s Galaxy S21 smartphone. All of these devices were running the latest firmware and security patches, yet all of them were hacked.
Not to worry, though; the ZDI doesn’t disclose or publish the exploits…
