Hackers crack Amazon Echo and Samsung Galaxy S10 at Pwn2Own competition

At the Pwn2Own competition in Tokyo, participants hacked numerous devices via unknown vulnerabilities. Among others, the Amazon Echo, smart TVs from Samsung and Sony, the Xiaomi Mi 9, the Samsung Galaxy S10 and various routers fell prey.

The most compelling hacks came from team Fluoroacetate. On the first day, the duo cracked the Sony X800G via the browser of the television and then an Amazon Echo Show 5 speaker and Samsung Q60 TV, both via an integer overflow in javascript. The team then had time to exploit a javascript bug in a Xiaomi Mi 9 to extract an image from the device. On day two of the competition, Fluoroacetate distinguished itself with hacks from a Samsung S10. The two managed to get a file on the device by deploying their own base station. In total, Fluoracetate managed to score 195,000 dollars and 18.5 points, enough for the title of Master of Pwn.

Team Flashback’s newcomers focused on a Netgear Nighthawk R6700 on the first day, which they managed to invade via a buffer overflow and also managed to adjust the router’s firmware via the WAN interface so that they could use their payload. permanently on the device.

The competition’s third team, F-Secure Labs, targeted an NFC component of the Xiaomi Mi 9. Using a specially crafted NFC tag, the team exploited a cross-site scripting bug in the component to extract an image from the device.

Pwn2Own is a twice-yearly hacker competition hosted by Trend Micro’s Zero Day Initiative. The aim is to uncover as many unknown vulnerabilities as possible.