63 Unique Zero Day Bugs Identified and Exploited at Pwn2Own Toronto 2022

A contest run by Trend Micro’s Zero Day initiative at Pwn2Own Toronto 2022 that rewards hackers for identifying and exploiting zero-day vulnerabilities has seen exploits demonstrated for 63 unique zero-day bugs in consumer products, earning hackers a total of $989,750 in prize money.

This was the 10th year that the contest has been held, and this year saw 26 contestants and teams try to hack the commercial software solutions of 66 products from a variety of manufacturers in several product categories. This year saw the addition of a new Small Office Home Office (SOHO) category, which was added in response to the increase in home workers, as the SOHO software could potentially be targeted by hackers and provide an easy route into corporate networks.

The contest ran for 3 days between December 6th and December 9th and saw hackers attempt to compromise mobile phones, NAS devices, printers, smart speakers, and routers. All of the targeted equipment and software had been fully patched and were in their default configurations.

The top 3 teams were DEVCORE which earned 18.5 Master of Pwn points and $142,500 in bounties, followed by Team Viettel with 16.6 points and $82,500 in bounties, and NCC Group EDG, with 15.5 points and $78,750 in bounties. This is the second time that the DEVCORE team has won the contest. Across the content, teams successfully exploited zero-day bugs in Canon, HP, and Lexmark printers, Synology, NETGEAR, and TP-Link routers, the WD My Cloud Pro Series NAS, and the Samsung Galaxy S22 phone. This year saw two successful attempts in the SOHO category and four successful attempts on the Samsung Galaxy S22 phone.

All zero-day bugs identified during the content are reported to the relevant vendors who are given 120 days to release patches to fix the flaws before details are publicly released.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news