The first day of the Pwn2Own hacking contest held in Tokyo has concluded, and a dual-member team of white-hat hackers by the name of Fluoroacetate cleaned up the house. After successfully hacking past numerous devices from multiple manufacturers, such as Samsung and Xiaomi, the team collected a bounty of $145,000 and secured a commanding lead in the contest after accruing 15 Master of Pwn points.

Pwn2Own is an annual computer hacking contest that started in 2007, and its name is derived from the fact that contestants must "pwn" or hack the device in order to "own" or win it. The purpose of the contest is to demonstrate the vulnerability of devices and software in widespread use. All the bugs and exploits used during the competition are handed over to the event organizers, who in turn forward them to the respective vendors. For each successful takeover of a device, the contestant wins prize money and points that count toward an overall ranking. The winner earns the title of Master of Pwn.

Team Fluoroacetate, comprising of members Amat Cama and Richard Zhu, started its winning streak by first targeting the Sony X800G smart TV. Using a Javascript OOB Read bug to exploit the television’s built-in web browser, the team gained control of the device to earn $15K and two Master of Pwn points.


Richard Zhu and Amat Cama of team Fluroacetate

Next up in its crosshair was the Amazon Echo Show 5, which the duo compromised using an integer overflow in JavaScript. This victory earned the team $60K and six more Master of Pwn points. Within the next few hours, the team continued slicing past the security of several more devices: Samsung Q60 smart TV ($15K, 2 points), Xiaomi Mi9 smartphone ($20K, 2 points), and Samsung Galaxy S10 ($30K, 3 points).

Fluoroacetate finished day one with a total bounty of $145,000 and 15 Master of Pwn points, putting it in a comfortable lead position over the other teams. As the winner of the previous two Pwn2Own contests, Fluoroacetate is expected to win its third tournament in a row.

Day two of the contest is currently underway, and its schedule and list of target devices have been published on the Zero Day Initiative website.

The second and final day of the Pwn2Own tournament has concluded and as expected, Fluroacetate has emerged as the winning team and crowned the Master of Pwn.

The duo's most notable accomplishment of the day was the takeover of the Samsung Galaxy S10 that earned the team $50K and five Master of Pwn points. Although this was good news for Fluoroacetate, it was an embarrassing moment for Samsung, as this marks the third year in a row that the company's phones have been compromised via a baseband attack vector.

Fluoroacetate finished the tournament with a total bounty of $195,000, 18.5 Master of Pwn points, and a trophy and some jackets for their accomplishments.

The other teams did pretty well for themselves as well, with newcomer team Flashback finishing with a total of $50K, and the F-Secure Labs team securing second place with a bounty of $70K and a total of six Master of Pwn points.

In the end, more than $315,000 was awarded to the contestants while purchasing 18 different bugs in the various products. The onsite vendors have been given the details of the bugs, and they now have 90 days to produce security patches.

As demonstrated by the tournament, the devices that we rely on every day in our connected lives remain all too vulnerable, and the importance of the contributions made by white-hat hackers and security researchers cannot be understated.

To stay update-to-date on future Pwn2Own contests, check out the Zero Day Initiative's Twitter.