Pwn2Own 2019

I managed to get the chance to participate in Pwn2Own 2019 this year, having joined F-Secure two months ago.

In total we had 4 entries:

TP-Link AC1750 Smart WiFi Router - LAN - $5,000
TP-Link AC7150 Smart WiFi Router - WAN - $20,000
Xiaomi Mi 9 - Browser Category - $20,000
Xiaomi Mi 9 - Short Distance Category - $30,000

Although my TP-Link exploits were both successful, the LAN had a collision with a previous team's entry and so no points were earned from it, resulting in a partial result. ZDI, however, were kind enough to give the full payout to the team.

By far the most popular part of the router exploits were the light shows I had triggered once the exploits were complete. The favourite was the Snake Lights:

For anyone that didn’t catch the Snake exploit at pwn2own, here it is in full pic.twitter.com/Qqcv9aus15

— maxpl0it (@maxpl0it) November 8, 2019

The Xiaomi exploits were written by my teammates who exfiltrated images from the target devices. Both exploits were successful and received full payouts. The Browser exploit chain did result in partial points due to the Xiaomi team being aware of one of the vulnerabilities used.

Overall a great time in Tokyo with the team. Very much looking forward to it again next year!