China hosted the largest national hackathon Tianfu Cup-a competition between teams of experts on attacks on information infrastructure. Using previously unknown vulnerabilities, participants were able to hack almost all the most modern software products.
The winner of the contest received $ 744,500 for successful attacks on Google Chrome and Mozilla Firefox browsers, as well as hacking the iOS operating systems (OS) running the iPhone 11 Pro, and Microsoft Windows 10 2004 running on the Surface Pro 5 tablet. The team has the long name 360 Enterprise Security and Government and (ESG) Vulnerability Research Institute. Its members work for a Chinese company specializing in Internet security, Qihoo 360. In total, this team took two-thirds of the total prize Fund, which was $ 1.2 million.
Qihoo 360 employees were also able to hack the enterprise virtualization software VMWare EXSi, the PDF document viewer Adobe Reader (two successful attacks), the Samsung Galaxy S20 smartphone running Android 10, the QEMU emulation software environment,and the Ubuntu 20 OS. In addition, they easily seized control of the TP-Link wdr7660 router.
Other participants also distinguished themselves — Safari browser, Docker enterprise software management system, and ASUS AX86U router "fell" under their onslaught. In addition, not only specialists from Qihoo 360 successfully coped with the hacking of the above SOFTWARE. Most targets were attacked more than once.
Table of achieved goals
Image source: Tianfu Cup
For example, the iPhone 11 was hacked in two ways, just like the Galaxy S20. And the PDF document viewer from Adobe "distinguished itself" at all — five successful attacks were made on it. A comparable number of new vulnerabilities were found only in the TP-Link router: four.
It is noteworthy that the hackathon organizers chose several more goals as the competition's disciplines, but the participants ignored some of them. The Microsoft Edge browser, the VMware Workstation custom package, and the Exchange Server 2019 system could bring teams another $ 380,000. But for some reason, they didn't waste their energy on them. Perhaps these software products are not of great interest to cybercriminals, or maybe there is simply no time left for them in the competition.
In total, 11 of the 16 goals were achieved, and the most common applications and operating systems were successfully attacked. It goes without saying that the developers of each software product received detailed information about all identified vulnerabilities.
The Tianfu Cup hackathon has been held since 2018. It was organized after the Communist Party banned Chinese cybersecurity specialists from participating in foreign professional competitions. According to its principles, the contest is similar to one of the most prestigious hacker Championships — Pwn2Own. Participants are assigned a goal: for example, to execute code with certain privileges on the attacked device. They must find a previously unknown vulnerability and implement it. For successful completion of the task, points are awarded, and then cash prizes. All detected software errors must be reported to the SOFTWARE creators.
