Introduction
The Viettel Cyber Security (VCS) team from Viettel Group achieved a significant victory at the Pwn2Own 2024 event in Ireland, securing their second consecutive championship. This prestigious competition, held from October 22 to 25, focuses on identifying and responsibly disclosing software vulnerabilities, with substantial financial rewards for successful discoveries.
Description
On October 25 [2], the Viettel Cyber Security (VCS) team from Viettel Group achieved a remarkable victory at the Pwn2Own 2024 event held in Ireland, marking their second consecutive championship win. The competition [2], which took place from October 22 to 25, awarded over $1 million for the discovery of more than 70 unique vulnerabilities [1], all of which will be responsibly disclosed to the relevant vendors for patching [1]. VCS earned a total of $205,000 by discovering and exploiting nine zero-day vulnerabilities across a range of products, including the Lorex 2K security camera [2], Synology TC500 AI camera [2], Ubiquiti AI Bullet camera [2], Sonos Era 300 smart speaker [1] [2], HP Color LaserJet Pro printer [1] [2], Canon imageCLASS MF656Cdw printer [2], QNAP TS-464 storage device [1] [2], and TrueNAS Mini X enterprise storage solution [1].
During the event, VCS scored 33 points, nearly doubling the score of the second-place Team Cluck from the USA [2], which garnered 17.25 points [2]. Notably, on the second day, a member of VCS successfully exploited a Use-After-Free vulnerability in the Sonos Era 300 speaker, earning $30,000 and 6 points. Additionally, they exploited a type confusion vulnerability in the HP Color LaserJet Pro MFP 3301fdw printer, which netted them $10,000 and 2 points.
The competition featured eight categories focused on AI-integrated devices [2], requiring participants to possess in-depth knowledge of source code and the operational mechanisms of AI systems [2]. The event was hosted at Trend Micro’s Cork office [1], and the discoveries made by VCS and other teams are expected to enhance security for end users of the targeted products.
Conclusion
The achievements of the VCS team at Pwn2Own 2024 underscore the critical importance of cybersecurity research and the responsible disclosure of vulnerabilities. By identifying and addressing these security flaws, the competition contributes to the enhancement of product safety and user protection. The ongoing efforts of cybersecurity experts, such as those from VCS, are vital in safeguarding digital environments and ensuring the resilience of AI-integrated devices against emerging threats.
References
[1] https://www.infosecurity-magazine.com/news/researchers-70-zeroday-bugspwn/
[2] https://en.vneconomy.vn/viet-nam-gianh-ngoi-vo-dich-ve-bao-mat-an-ninh-mang-toan-cau-nam-thu-hai-lien-tiep.htm
