Trend Micro's ZDI Lifts the Lid on Vulnerabilities and Diffuses Danger

Rhea-AI Summary

Trend Micro announced the results of the Pwn2Own competition held in December 2022, awarding $989,750 for the purchase of 63 unique zero days. The competition highlighted security vulnerabilities in home devices amid a rise in remote work, with an estimated 80% of US employees working from home. The event included a SOHO Smashup category, where hackers earned up to $100,000 for exploiting connected devices. The top contestant, DEVCORE, secured $142,500 in prizes. The competition aimed to raise awareness about the cybersecurity risks posed by home devices.

Positive

• Awarded $989,750 in prizes, showcasing substantial industry engagement.
• Highlighted critical vulnerabilities in home devices, enhancing Trend Micro's threat intelligence.
• DEVCORE proved as the top performer, securing $142,500 in prizes.
• The competition fostered awareness regarding cybersecurity risks in remote work environments.

Negative

• The potential risks highlighted by discovered vulnerabilities could undermine corporate security.
• Increased attack surface from home devices may lead to significant data breaches if not addressed.

Largest Pwn2Own competition proves the risk home devices play to enterprise security

TORONTO, Dec. 12, 2022 /PRNewswire/ -- Trend Micro Incorporated (TYO: 4704; TSE: 4704), a global cybersecurity leader, today announced the winners of its fall Pwn2Own competition held through the Zero Day Initiative. $989,750 in prizes were awarded throughout the event with the purchase of 63 unique zero days. The real-world impact if these vulnerabilities were weaponized would amount to 10x in time, data and financial loss.     

$989,750 in prizes were awarded throughout the event with the purchase of 63 unique zero days.

To read more about the Pwn2Own Toronto event and the final competition winners, please visit:

"As a security vendor we have a responsibility not just to protect our corporate customers but also to make the connected digital world a safer place in which to live and work," said Dustin Childs, Head of Threat Awareness at Trend Micro's ZDI. "Pwn2Own this year has revealed a slew of new vulnerabilities which will do exactly that, whilst also highlighting the growing security threat from the distributed workforce."

An estimated 80% of US employees are currently working from home some or all of the time, according to Gallup. However, that can expand the corporate attack surface if devices like routers, smart speakers, printers and network attached storage (NAS) are not properly secured. Vulnerabilities in household devices disclosed through Pwn2Own and Trend Micro's Zero Day Initiative inform Trend Micro's industry-leading threat intelligence that secures increasingly entangled consumer and enterprise networks.

Several waves of Deadbolt ransomware that compromised global NAS devices this year highlight the potential risk for businesses.

Attackers could also use compromised small office/home office (SOHO) connected devices as a jumping-off point for lateral movement within a network, potentially leading to a device connected to corporate resources.

That's why this year's fall Pwn2Own competition featured a "SOHO Smashup" category that challenged hackers to exploit a Wi-Fi router and connected device. If contestants were able to take complete control of both devices within 30 minutes, they could earn $100,000 and 10 Master of Pwn points.

Raising awareness of the risks to SOHO equipment comes amidst government moves to enhance buyers' confidence, in a technology where responsibility for security often falls between employee and enterprise.

In the EU, legislation is being proposed to mandate minimum security requirements of connected device vendors, while in the US there are moves afoot to launch a new labelling system akin to Energy Star.

Pwn2Own was held from 6-8 December 2022 in Trend Micro's Toronto offices, with Trend Micro offering to reimburse up to $3,000 in travel expenses for teams participating in person. Those unable to attend were able to log in remotely.

The overall Master of Pwn winner was DEVCORE with 18.5 points and $142,500 in prizes. The top five contestants were:

To learn more about Pwn2Own and recap highlights of the event, visit the ZDI blog.

About Trend Micro
Trend Micro, a global cybersecurity leader, helps make the world safe for exchanging digital information. Fueled by decades of security expertise, global threat research, and continuous innovation, Trend Micro's cybersecurity platform protects hundreds of thousands of organizations and millions of individuals across clouds, networks, devices, and endpoints. As a leader in cloud and enterprise cybersecurity, the platform delivers a powerful range of advanced threat defense techniques optimized for environments like AWS, Microsoft, and Google, and central visibility for better, faster detection and response. With 7,000 employees across 65 countries, Trend Micro enables organizations to simplify and secure their connected world. www.TrendMicro.com.

View original content to download multimedia:https://www.prnewswire.com/news-releases/trend-micros-zdi-lifts-the-lid-on-vulnerabilities-and-diffuses-danger-301699805.html

SOURCE Trend Micro Incorporated

FAQ

What were the results of the Pwn2Own competition held by Trend Micro in December 2022?

The competition awarded $989,750 for the purchase of 63 unique zero days, with DEVCORE as the top performer.

How much did DEVCORE win at the Pwn2Own event?

DEVCORE secured $142,500 in prizes at the Pwn2Own competition.

What is the significance of the vulnerabilities discovered at Pwn2Own?

The vulnerabilities highlight cybersecurity risks linked to home devices, especially with remote work becoming more common.

What was the focus of the SOHO Smashup category in the Pwn2Own competition?

The SOHO Smashup challenged hackers to exploit a Wi-Fi router and a connected device, with a prize of $100,000.

What impact does the rise in remote work have on cybersecurity according to the Pwn2Own findings?

The increase in remote work expands the corporate attack surface, making it easier for attackers to exploit vulnerable home devices.