At Trend Micro, we’ve always said that cybersecurity is a team sport. But what happens when you put those teams in competition with each other? We believe you create the conditions in which the world’s best hackers thrive. And ultimately, you make the connected world safer in the process.
That’s the philosophy of our Zero Day Initiative’s Pwn2Own competition. For the past 15+ years, teams from across the globe have battled each other for big cash prizes and even bigger industry kudos. Building on our recent events in Miami and Toronto, we’re excited to see what they’ve got planned for the upcoming Vancouver event, including exciting targets like two Tesla vehicles and many other interesting targets.
Welcoming back Tesla
Tesla almost single-handedly invented the connected car industry. It knows more than most what’s required to keep one step ahead of the competition and the cybercrime community: rigorous testing and continuous probing for software bugs. We must remember, after all, that a car isn’t just a car any more. It’s a complex system of IT components and dynamic systems that presents an increasingly attractive attack surface for threat actors.
That’s why we have partnered for years with automotive car technology manufacturers and recently launched our VicOne subsidiary. And it’s why we’ve welcomed Tesla to Pwn2Own for the past several years. In fact, in 2019, one team won the Master of Pwn award, and the Tesla Model 3 they successfully hacked. Last year’s competitors were able to demonstrate the exploitation of two unique vulnerabilities in the car’s infotainment system. This year we’ve updated and expanded our target list again to keep pace with the rate of innovation from the connected vehicle giant and so many others.
Pwn2Own Vancouver 2023 will feature:
- Tesla Model 3 and Tesla Model S vehicles as targets
- A new Steam VM Escape category as an attack vector, in line with Tesla support for the gaming platform
- An isolated vehicle head unit on which to attempt autopilot exploits too dangerous to run on the vehicle itself.
- A top prize of $600,000 – with Tesla cars being the single largest target in Pwn2Own history and, of course, the ability for top award winners to drive away in a Tesla of their own.
What else can attendees expect from the Vancouver show this year? We’re predicting:
- Multiple entries in the Virtualisation category, including VMware and Oracle VirtualBox.
- A privilege escalation for every operating system in the contest: Windows, macOS, and Linux.
- A full exploit of Adobe Reader running on macOS.
- Attempts on Microsoft SharePoint and Teams, which reflects the growing need to secure the hybrid workplace.
- Entries in the Automotive category, including one that could win the vehicle itself.
The power of Trend Micro’s Zero Day Initiative (ZDI)
Pwn2Own has, over the years, become indelibly associated with its primary patron, Trend Micro’s Zero Day Initiative (ZDI). It couldn’t be a better fit for what is the world’s largest vendor-agnostic bug bounty programme, accounting for nearly 64% of all vulnerabilities disclosed in 2021, according to Omdia.
The philosophy driving both the competition and the ZDI is to make the connected digital world a safer place, 100% in alignment with Trend’s corporate mission. We do that one advisory at a time at the ZDI – strengthening the overall industry by sharing information with vulnerable vendors and using that threat intelligence to protect our customer’s vulnerable systems for over 70+ days before official patch disclosures.
Pwn2Own participants have contributed a hefty number of zero-day finds over the years: 530 unique critical vulnerabilities since its inception across events focused on mobile, IoT, automotive, and critical infrastructure, to name a few. All told, the event has paid out more than $11.2M over the years. But its value to the vendors who participate and the customers who rely on their products has been much greater, especially considering that many vulnerabilities have been identified on business-critical enterprise applications, which are essential for business continuity and operations for numerous reasons organisations.
Last year we awarded over $1M to participants for their amazing research. To find out who’ll strike it rich this year and win the coveted Master of Pwn trophy – and maybe a Tesla or two – join us at the Sheraton Wall Centre in Vancouver during the CanSecWest conference on March 22-24, 2023.
Follow the Trend Micro ZDI blog for live updates from the event here.