Trend Micro Incorporated announced the winners of its fall Pwn2Own competition held through the Zero Day Initiative. $989,750 in prizes were awarded throughout the event with the purchase of 63 unique zero days. The real-world impact if these vulnerabilities were weaponized would amount to 10x in time, data and financial loss.  

To read more about the Pwn2Own Toronto event and the final competition winners, please visit:   

“As a security vendor we have a responsibility not just to protect our corporate customers but also to make the connected digital world a safer place in which to live and work,” said Dustin Childs, Head of Threat Awareness at Trend Micro’s ZDI. “Pwn2Own this year has revealed a slew of new vulnerabilities which will do exactly that, whilst also highlighting the growing security threat from the distributed workforce.”

An estimated 80% of US employees are currently working from home some or all of the time, according to Gallup. However, that can expand the corporate attack surface if devices like routers, smart speakers, printers and network attached storage (NAS) are not properly secured. Vulnerabilities in household devices disclosed through Pwn2Own and Trend Micro’s Zero Day Initiative inform Trend Micro’s industry-leading threat intelligence that secures increasingly entangled consumer and enterprise networks.

Several waves of Deadbolt ransomware that compromised global NAS devices this year highlight the potential risk for businesses.

Attackers could also use compromised small office/home office (SOHO) connected devices as a jumping-off point for lateral movement within a network, potentially leading to a device connected to corporate resources. 

That’s why this year’s fall Pwn2Own competition featured a “SOHO Smashup” category that challenged hackers to exploit a Wi-Fi router and connected device. If contestants were able to take complete control of both devices within 30 minutes, they could earn $100,000 and 10 Master of Pwn points.

Raising awareness of the risks to SOHO equipment comes amidst government moves to enhance buyers’ confidence, in a technology where responsibility for security often falls between employee and enterprise.

In the EU, legislation is being proposed to mandate minimum security requirements of connected device vendors, while in the US there are moves afoot to launch a new labelling system akin to Energy Star.

Pwn2Own was held from 6-8 December 2022 in Trend Micro’s Toronto offices, with Trend Micro offering to reimburse up to $3,000 in travel expenses for teams participating in person. Those unable to attend were able to log in remotely.

The overall Master of Pwn winner was DEVCORE with 18.5 points and $142,500 in prizes. The top five contestants were:

To learn more about Pwn2Own and recap highlights of the event, visit the ZDI blog.