Transcription performed by Leah Hervoly www.leahtranscribes.com
[START OF RECORDING]
JACK: Alright, pop quiz. Who is the best hacker in the world? Well, I think I’ve found him. Oh, it’s two guys, actually; Pedro and Radek. They won the 2020 Masters of Pwn Award which for now means they’re the best.
PEDRO: Oh, wow. As much – we really appreciate that and as much as we would like to think we are, that would be unfair, you know? It’s quite a nice title to have and we’re quite happy with it. But the fact is there’s a lot of good hackers that stay in the shadows and I know for a fact a lot of them are better than us. JACK: See, here’s the thing; Master of Pwn is the title given to the winner of the Pwn2Own hacker competition. We’ll get into what all that means later but this is a very prestigious event with hundreds of thousands of dollars in prize money at stake. In fact, I think it’s the highest-paying hacker contest out there. When you have a well-known hacker contest with high-paying rewards and the rules are fair and transparent and it’s open for anyone in the world to compete in, then yeah, I think whoever wins it can possibly say they’re the best hackers in the world. I mean, how else can you prove that except through a fair and open competition, right?
RADEK: Yeah, it’s very good to be crowned the Master of Pwn and of course, anybody can challenge that. But as Pedro said, there are a lot of people that stay in the shadow or they use different competitions or, you know, formats to compete with the rest of the world.
(INTRO): [INTRO MUSIC] These are true stories from the dark side of the internet. I’m Jack Rhysider. This is Darknet Diaries. [INTRO MUSIC ENDS]
JACK: Okay, today we’re talking with two guys from ZDI which stands for the Zero Day Initiative.
DUSTIN: My name is Dustin Childs. I’m the Senior Communications Manager for the Zero Day Initiative.
BRIAN: My name is Brian Gorenc. I’m the Senior Director of Vulnerability Research here at Trend Micro. I run the Zero Day Initiative along with a couple other things here at Trend all focusing on exploitation and vulnerability discovery.
JACK: Alright, so you’re both part of Zero Day Initiative. What is the Zero Day Initiative?
DUSTIN: ZDI is the world’s largest vendor agnostic bug-bounty program. That means we buy bugs in products from various vendors across the spectrum of IT.
JACK: Hm, well, that’s interesting. These guys are bug-buyers. Specifically, they buy zero-day vulnerabilities. Zero-day vulnerabilities are bugs that the software developer or vendor doesn’t know exist or has not fixed. This vulnerability can be exploited on the latest and greatest software updates. If someone can demonstrate they can exploit fully-updated software, the ZDI team will buy that exploit from them.
DUSTIN: We buy Microsoft, we buy Apple, we buy Google, we buy Cisco, we buy IBM. We buy a bunch of different bugs.
JACK: Now, the thing is, ZDI is ran by Trend Micro which is a cyber-security company that makes different products like the TippingPoint Intrusion Detection System. Now, an intrusion detection system examines the network traffic and looks for someone trying to exploit something. It alerts and triggers and tells the admin check this out; there might be something wrong here. ZDI was created in order to enrich the vulnerabilities that their intrusion detection system can detect. They thought by buying bugs, it would make their product better. But at the same time, when they’re buying a bug, they also tell the vendor that there’s a serious vulnerability in their product and this needs to be fixed now. While a lot of software vendors have their own bug-bounty program which pays people to report bugs to them, they don’t give ZDI any money for the bugs that ZDI reports.
DUSTIN: I wish it worked that way. It would save our budget a lot. Now, we buy the bugs – let’s take Microsoft Edge bug just as an example, hypothetically. We buy a bug at Microsoft Edge and then what we do is we create a filter for our products and then push that out to Trend Micro products ahead of Microsoft releasing a patch for Edge.
JACK: Yeah, so, I guess my question is why doesn’t – so, you said Edge is an example; why wouldn’t Microsoft pay for this bug or why don’t they pay more for it?
DUSTIN: Microsoft would pay for it and they probably would pay more, but their advantage is with going to ZDI. Certain researchers don’t want to be known to the vendors. Certain researchers don’t want to deal with the disclosure. We’ve had a lot of interesting disclosures over the years. We also have kind of a frequent flyer program so the more you report to us, the higher levels of bonuses you can get. We’re kind of a known entity. With some vendors, researchers have had the experience where they report bugs and then they just kinda get blown off. [00:05:00] The vendors know who ZDI is. We’ve been around long enough, so researchers know that if they report it to us, their bug’s not gonna get just ignored.
JACK: Mm-hm. I’ve talked with a few researchers who have found it frustrating when they tell a company about a bug they found, but that company just ignores them. So, security researchers don’t always want to go through the hassle of having to convince a company that there’s this bug and you need to fix it and here’s how. Instead, they just submit it to ZDI and then ZDI does all the legwork to try to get the vendor to fix it, because here’s the thing; ZDI puts pressure on the vendor to make them move quick.
DUSTIN: [MUSIC] Yes, we have a 120-day disclosure timeline right now for vendors so from the time we report it to you, to any particular vendor, they have 120 days to work with us to get a public solution available whether it’s a patch or an advisory, some sort of fix out to the public. Then if it exceeds that timeline, then we do disclose a certain amount of information so the people can take other matters to protect their resources.
JACK: Mm-hm. See? ZDI has a heavy hand here. When they give a bug to a vendor, a timer starts, and if the vendor doesn’t fix this problem in 120 days, then ZDI will publicly tell the world about this bug. This has given ZDI quite a reputation because if you’re a vendor and ZDI calls you up, you better listen and get things fixed quick or else your customers are going to be victim to many attacks. This has happened. Vendors have ignored ZDI and the timer sometimes expires.
DUSTIN: Sometimes the vendor disagrees with the severity of the bug. We had a bug in the Foxit PDF Reader and it only hit when the protected mode was disabled. They said because of that, we’re not gonna fix it. We said we disagree with that and we think it should be fixed, so we’re gonna go public with it. We went public with it. They published a blog – we published a blog and later that afternoon they came back and said you know what? We changed our mind. We are gonna fix it. A week later, a patch was available. Clearly, if it only took them a week to make the patch, it wasn’t a technical issue. It was just a ‘we don’t want to patch this for philosophical reasons.’ By going public with it, that changed their mind.
JACK: ZDI was doing this bug-buying stuff for a few years but then came CanSecWest. [MUSIC] CanSecWest is a security conference in Vancouver, Canada.
DUSTIN: A conference organizer had a MacBook; MacBooks had a reputation in the public as being essentially hack-proof. Everyone in the community knew that wasn’t true, though. He wanted to kinda demonstrate that so at the conference he said okay, I’m gonna put this MacBook on this network. If you pwn it, you can own it. Hey ZDI, would you buy the bug? We said yes, we’ll pay $10,000 for the bug.
JACK: An impromptu contest was launched. If someone at CanSecWest had a working exploit for a fully-updated MacBook Air, they could try attacking it. The challenge was to get into it without the user having to do anything like click a link or a pop-up or anything. Simply having the MacBook on the same network as an attacker was all that was needed because if someone can take a computer over like this, this means they’ve pwned the computer. The rules are that if you pwn it, you can own it, which is different than owning it in a hacking sense. If you attack something and you get into it, you pretty much own that system. But in this case, you’re actually given the MacBook Air and say here, you got into it. You can own it now. It’s yours. But then on top of that, ZDI was also offering a $10,000 reward if you can do it, too. That’s a pretty nice reward which means hackers were spending time trying to hack into this MacBook Air during the conference which lasted three days. Did somebody pwn it?
DUSTIN: Dino Dai Zovi; yes, he did. That was before my time but I believe he used a bug in QuickTime to take over the system.
JACK: This was such an exciting event for ZDI that they decided to keep this contest going. [MUSIC] Since 2007, the Pwn2Own contest has been going on every year at CanSecWest.
DUSTIN: Yes, from that point it became an annual thing and it grew. Initially, it started primarily with browsers.
JACK: The Pwn2Own contest for the next few years was just for web browsers; Chrome, Firefox, IE, Safari. They announced the contest rules; the browsers will be fully updated on the latest patches and the contestant will need to exploit a bug in the browser and try to take over the computer. The only interaction the user has to do is browse to the attacker’s website.
DUSTIN: I would say, just browse to the website. No user interaction after that.
BRIAN: Yeah, we actually have rules in the contest that require the exploit work without any user interaction, so all the…
JACK: Other than going to the website.
BRIAN: Other than going to the website. Then once you hit the website, the machine is compromised and the attacker’s shell code is executing.
JACK: Okay, that gives me chills just thinking about it ‘cause I always assumed if I [00:10:00] just go and – as long as I don’t click ‘are you sure you want to run this thing’, it’s very bad or something or there’s a little padlock in the top. There’s all these little things I look for when I’m going to shady-looking websites. But now you’re telling me it’s possible that even if all that, I could still be pwned.
DUSTIN: That’s correct.
JACK: [MUSIC] There’s a few different combinations of potential attack scenarios here. It’s not just for browsers; there’s also three different operating systems, too. They would ask the contestants what browser and what operating system do you want us to visit your website with? You can pick macOS, Windows, or Linux, because writing an exploit for each of these is a little different. Next year in 2008, Charlie Miller wrote an exploit for Safari on macOS. When the contest organizers went to Charlie’s website, Charlie exploited that computer and completely took it over. From then on, the contest grew bigger and bigger and bigger. In 2014, a security research team known as Vupen came to compete at Pwn2Own.
BRIAN: Yeah, the Vupen Chromoscope is actually quite interesting, that – what happened in 2014. It’s I think still to this day one of my favorite exploit chains that we received from Vupen. Vupen was – at the contest was targeting Google Chrome. Obviously at the time, it’s still to this day is considered one of the most – hardest browsers to actually compromise. What they ended up doing is they had their server, we have the attack laptop and the – one of the ZDI team members surfs to their controlled web page. It basically says Waiting. What’s happening underneath the covers is actually they’re exploiting a use-after-free in Google’s renderer process.
JACK: Use-after-free is a classic exploit. A browser has an object in the computer memory in order for it to work, but what an attacker might do is delete that object from memory somehow but not tell the browser that the object was deleted. The browser still thinks something is there but the attacker will put something else in that spot of the memory, so when the browser goes to run the program that’s in that piece of memory, it’s running the attacker’s code instead which can be something malicious.
BRIAN: Once they’ve actually successfully exploited the use-after-free, they move on to try to escape the sandbox.
BRIAN: The way that they did this was they actually used an undocumented feature in Windows which allowed them to load a com control onto the clipboard of the operating system. What ended up happening is every time you would right click, the com control would get instantiated and execute attacker control code outside of the sandbox itself. It was this kinda slick way of escaping the Chrome sandbox using some of the undocumented features in the Windows operating system.
JACK: Now, to me at least, this is exciting to watch. It’s not quite a spectator sport though, so it’s just about as good to hear about it later as it is to see it live, but it’s exciting in the sense that an unknown bug to a major browser is going to be exploited right here on stage, right now.
BRIAN: It’s usually very exciting, right? You know what’s happening on the contestant side is, you know, they’ve put a lot of time and effort into first finding the vulnerability and finding the sandbox escape and then taking the time to write the exploit, make it reliable, make it so that there’s no user interaction. It comes to this point in the contest where it’s all on the line, right? You have five minutes to make the exploit work. There’s a lot of tension that occurs in the air and in the room when it comes to that point of actually surfing to the web page. For us and ZDI, we’re always very much – we want the contestant to win, right? We want to pay the bounty. We want to be involved in the disclosure process.
We want to see them be successful because ultimately what’s gonna happen is the vendor’s gonna release the patch that’s gonna remove this exploit from being used in the wild. We’re also very excited when the actual exploit works because we look at exploits as kind of art, right? There’s always [00:15:00] unique things that they’re doing to make the exploit work by using different exploit techniques, unique bugs, things that have never been seen before. When the exploit is successful, it gives us an opportunity to go take a look at that exploit chain, understand how they put it together, look at the vulnerabilities that they were using and see if there’s any interesting new techniques that we can kind of provide protections for but also recognize all of the efforts that they – that the contestant has put into actually developing that exploit.
JACK: The Vupen team sat down, got their malicious web server ready, then told ZDI to browse to their web server. After ZDI went to the website, a few moments later, the calculator app launched on ZDI’s computer which proves that the Vupen team was able to get into that computer and launch whatever program they wanted.
BRIAN: I remember when we were sitting in the disclosure room at the contest going through the exploit with Microsoft and Google at the time, they were all kind of – we were all kind of sitting there surprised at how efficient this was and the fact that they were leveraging something that was undocumented in an operating system that would allow them to execute code and escape the sandbox which at the time was something that was – still was relatively rare to see. But it was fun to – you just sort of go to a website, the browser doesn’t crash, and then you minimize the browser and start right-clicking on the desktop and calculators start popping up on the screen, demonstrating that they did have complete control of the computer at that point.
JACK: [MUSIC] Demonstrating this vulnerability and having it work earned Vupen $100,000 in prize money. Over the course of time, Vupen has gone to Pwn2Own and taken prize money home many times. See, Vupen was this team of security researchers who were in the business of finding vulnerabilities and selling them to law enforcement. This was actually their whole business which brings me to the question; is $100,000 a lot for a bug like this? Well, it seems like it is. It’s a lot for ZDI. That’s for sure. But let’s talk about some options, what else you could do with a zero-day bug like this. If the vendor had a bug bounty program, you could submit to them and some vendors pay pretty well, but do they pay $100,000 for a bug? Well, Google’s maximum payout for a bug is currently set to $30,000. But a security researcher in 2009 was able to demonstrate that he could take over a Pixel 3 phone with just one click, and Google paid him $200,000 for that one.
But the reason that was so high is because the researcher was able to chain a few different exploits together to get this working, so they actually used multiple bugs to do that. Sometimes vendors will pay double when they want researchers to focus on a particular product. It’s sometimes hard to get vendors to look at bugs that you give them and get them to pay out. Obviously taking full control over a computer using an unknown bug will be one of the higher-paying bugs, but then there’s a few other markets for places you can go to tell zero-day exploits. The dark web is one place, but it’s shady and shifty. Is someone really gonna roll up and pay $100,000 for a vulnerability on a darknet marketplace? How do you know it’s an actual zero-day vulnerability? How do you know that you’ll get working code and you’re gonna be taught how to use it properly? Or how do you know where it even came from? Maybe the seller will sell it to you and then sell it to your adversary the next day. Think about who’s buying and selling zero-day bugs on the dark web; probably criminals, right?
People with ill-intent at least. The market for this on the dark web is starting to dry up and so, there’s law enforcement. Places like the NSA and FBI sometimes use zero-day bugs to get into things. The classic example is the San Bernardino iPhone story. This was an iPhone recovered from one of the terrorists who did an attack in 2015. The iPhone was password-protected and the FBI wanted Apple to unlock it but Apple refused, mostly saying they don’t have the ability to do that and they’ve designed the phone in such a way that it’s impossible even for Apple to unlock it. The court wasn’t able to force Apple to do it, so the FBI had to go to Plan B which was to hack into it. We don’t know the specifics but the story goes that the FBI bought a zero-day bug for a million dollars to get into that iPhone. An exploit to get into a locked iPhone goes for a million dollars on the gray market. There are mercenaries too, hacking groups who work for the highest bidder to hack into a target. An example here is Project Raven. In fact, in Episode 47, I talk about Project Raven.
This was basically a hacking group who was contracted by the UAE to hack into its adversaries. One of the hacking tools they used is called Karma. This allowed Project Raven operatives to access information on a target’s iPhone without the target having to click or do anything. Simply by sending a message to that iPhone was all it took. But we believe Karma was an exploit that was purchased outside of the UAE. We don’t know how much they paid for it, but [00:20:00] it sure is probably worth a million dollars since Project Raven was able to use it for years on dozens of targets without it being patched. Any time the UAE government wanted to spy on someone’s iPhone, they had a pretty easy and quick way to do it. See, the thing is, we’re in the era of cyber-arms industry where buying and selling zero-day exploits is fairly common among nations and mercenaries, because having that slight edge on an adversary can really go a long way for a nation’s intelligence-gathering.
DUSTIN: Yes, there is the exploit broker market and the black market that can pay a lot more. There’s different concerns that researchers have reporting it that way. One thing is you go to Pwn2Own and there’s press coverage and there’s adoration and there’s Pwnie Awards that a lot of Pwn2Own stuff gets submitted for, so you kinda make your name a little bit more well-known. If you sell to an exploit broker, your name will never be associated with your research and your research could be used by an oppressive regime to monitor people or something. Some people have ethical problems with that. Some people just see two commas in a dollar figure and say that’ll sort itself out. It’s one thing that we do compete against.
JACK: Vupen has demonstrated eleven zero-day vulnerabilities at Pwn2Own over the course of a few years, but that team has now morphed into what’s called Zerodium which they still work to acquire zero-day exploits and report on them. Zerodium has their own researchers trying to develop zero-day exploits, but also spends a significant amount to buy exploits. That just makes me wonder why Vupen decided to publicly share these with ZDI. Maybe to become known as the people who have lots of zero-day bugs, so many that they’re willing to share them with ZDI. I’d like to interview these guys one day but in my experience, zero-day brokers just don’t like talking publicly. [MUSIC] I’m reading this article on forbes.com. The article is titled 30 Under 30 Asia. They pick thirty people under thirty years old that are noteworthy and making a name for themselves. One person on this list is named Junghoon Lee. Let me read what Forbes wrote about him. “Lee, better known as his online alias Lokihardt is said to be able to hack into any computer, smart phone, program, or browser from Apple iPhone to Microsoft Edge, Google Chrome, or Safari.” Who’s this guy, Korean Junghoon Lee? What did he exploit?
DUSTIN: He exploited everything. I think he exploited Chrome, he exploited IE, and he exploited Safari.
JACK: Okay, let’s talk about that, then.
BRIAN: Yeah, they say he goes by the handle of Lokihardt. If I remember correctly, he was actually – kind of worked in the game community, a game developer. He kind of had a unique way of looking at vulnerabilities that he would find in the browsers. Typically what he would find is race conditions. He’d find a place where code is raced in a very specific point and find a way to exploit that in a way that would allow him to get code execution. I remember about his attempts is that a lot of them were race conditions and kind of unique bugs that not – normal fuzzers and testing techniques wouldn’t find and that’s why I’ve really enjoyed his approach to looking for bugs. I think one of the most interesting ones I remember from him was he had a – I think it was an IE exploit where to escape the sandbox, he actually forced the browser to open up the on-screen keyboard and he was clicking on the keyboard with his exploit code to actually execute commands on the actual operating system itself.
It was really – it was actually – that one was very visually fun to see because he would go to the attacker control web page, he would exploit the browser, and he brought up the virtual keyboard to actually start clicking on different keys on the keyboard. I think the attempt didn’t work at Pwn2Own because he had tested his exploit against I think the Korean version of the operating system and we were running against the English version of the operating system. So, the keyboard points were slightly off. As a result, he didn’t actually get code execution outside of the sandbox, but it was one of the more interesting exploits that we had seen at the actual contest.
DUSTIN: I think his largest payout was $110,000. Over the three-day program, he won $225,000.
JACK: Whoa, that’s crazy. That’s some young Korean guy; just showed up to Pwn2Own, demonstrated how he can take over computers running Chrome, Edge, and Safari and then walked out with a few hundred thousand dollars. Who are these guys? Well, Google was apparently really impressed with this work, so they offered him a job. So, Lokihardt took the job and moved to Sunnyvale and started working at Google, but I don’t think he works there anymore now. When this contest happens, I mean, since 2007 and 2017 at least, that’s ten years of – browsers are getting pwned every year.
JACK: What do the browser companies think of this event?
DUSTIN: [00:25:00] Well, we’ve heard from Microsoft that they actually like it because they’re getting research that they would not otherwise do. Especially the security folks; they can go to their management and go look, the secure initiative that we want to do, these mitigations that we want to implement, see, at Pwn2Own were getting popped. If we implement this mitigation, maybe we won’t get popped so easily. I wouldn’t say they love it but I think they – that they definitely appreciate it. Most of our vendors we have a very good relationship with so that they know that we’re also a fair broker and we’re not gonna do stuff just to make ourselves look good. They know that overall, their products are gonna get more secure.
BRIAN: I think you can look at the contest, too, over the years, too, is that early days in Pwn2Own, a lot of these vendors were not really enjoying being part of the contest but over the years they’ve actually started to see the value. They’ve actually started to sponsor the conference and they want to be more involved with the actual research community. As a result, you’re seeing a lot of these vendors open up and use that data to actually improve things like the sandbox and the rendering engines inside of the browser.
JACK: While initially Pwn2Own was just browsers, it’s now expanded well beyond that.
DUSTIN: [MUSIC] Over the years, we’ve added applications and other technologies. It really kinda started with Flash and Java which kinda makes sense ‘cause that’s things that are occurring in the browser. But then we ended up adding enterprise applications like Microsoft Office and Adobe Reader. Phones at some point came into it as well with the BlackBerry and iPhones. Then we really started focusing on the operating system and sandbox escapes. In 2016, we introduced the virtualization category, then we added in 2018 IoT devices, and in 2020 we even added Pwn2Own specifically for industrial control systems and SCADA products. It’s really grown over the years as it’s formalized to really spread out and look at a wide range of enterprise products, consumer products, and now ICS and SCADA products.
JACK: This event has made quite a name for itself. Vendors know exactly what day Pwn2Own is happening and sometimes push patches to their products just before the event. But I do wonder what vendors think when they get added to the list of targets in Pwn2Own. Do their eyes widen when they realize they’re now gonna be in the crosshairs of the world’s greatest hackers?
DUSTIN: Yes, we’ve had vendors actually try to opt out of participating but we let them know that’s not really an option. But then by the end, they were actually enthusiastic and like Brian says, Microsoft is a co-sponsor of Pwn2Own now, as VMware is, too.
JACK: Now, while Pwn2Own was always about testing the security of browsers, one year they didn’t allow testing in Firefox.
DUSTIN: [MUSIC] Yes, there was one year we did not include Firefox primarily because they hadn’t made any significant new security improvements over the year. At the time, they weren’t even sandboxed.
JACK: Yeah, Firefox just wasn’t updating the security of their browsers enough for ZDI to feel confident in testing it. In fact, Brian was quoted saying “We wanted to focus on browsers that have made serious security improvements in the last year.” When the Firefox CEO saw that, he tweeted “Ouch”, which I think was quite embarrassing for them. But since then, Firefox has been included again and they’re putting a lot of focus into securing their product. As Pwn2Own continued and grew year after year, it became more and more prestigious to be a prize-winner from the contest. In fact, to make things even more prestigious, they started a thing called Master of Pwn.
DUSTIN: [MUSIC] In 2016, we created this title called Master of Pwn. The way Pwn2Own works logistically is at the beginning of the contest, everyone’s name who’s participating goes into a hat and we draw names out of a hat and that’s the order that you go. We’re looking for the first win in a category and that’s the full winner. Everything subsequent, the prize money goes down for additional rounds. If a Chrome exploit is worth $75,000 in the first round, it may only be worth $35,000 in the second round. There’s a randomness of luck into the contest. You might end up with the best research but if you have a bad draw, you get a lot less money. We introduced the concept of Master of Pwn to crown the overall winner where, okay, that Chrome bug is gonna be worth ten points but it’s worth ten points the first round, the second round, the third round, and so on. If you’ve got the best research but have a bad draw, you could still be crowned the overall winner of Pwn2Own, Master of Pwn, if you end up with the most points.
BRIAN: This is where it got really competitive. What ended up happening is in the Pwn2Own evolution, is we started to experience more and more teams in the contest. The purpose of the team was to actually try to land an exploit in every category and try to accumulate enough points to win that Master of Pwn. [00:30:00] Because there’s a lot of press and there’s a lot of notoriety that goes along with the Pwn2Own contest, companies started to form very large teams to actually compete against other companies. Some of the top players in the space was two Chinese companies; one Tencent and the other 360 who developed really advanced and elite teams to participate in Pwn2Own. These teams would be large enough where they would have individual researchers looking at different subsystems to find bugs and then would put them all together to actually bring a large number of exploit chains to the contest so that they could make an attempt to win the Master of Pwn.
Between those two companies, it was quite competitive. What ended up happening one year is that the – during our ten-year anniversary, the two teams were very close to winning the actual Master of Pwn award. It came down to the rules in the contest. The rules in the contest require that you use a zero-day and that it’s unknown to the vendor, but occasionally there can be collisions. We call them vulnerability collisions where one researcher submits a vulnerability and another researcher submits the same vulnerability and a collision occurs. As a result, the person who has the first – who uses it first in the contest based off of the draw is – gets the points for that specific vulnerability. Years prior, the collisions would occur and the – and they would happen within the contest. But what ended up happening as we – as the competition for the Master of Pwn became more and more important to these companies, they would actually start researching the – basically reverse-engineering the other research team’s researchers, looking at how they would go about finding bugs and try to find the same bugs that they were finding and submit them to the vendor prior to the contest.
JACK: Yeah, in 2017, the Chinese team from Tencent blocked the Chinese team called 360 by submitting one of 360’s bugs a few days earlier. That’s just crazy to me. Tencent didn’t hack 360 directly but instead studied how 360 went about finding bugs. I think what happened is someone from 360 gave a talk at a security conference explaining how to look for bugs or something like that, and someone from the rival team of Tencent was there and took notes and learned the technique and found bugs that 360 probably would have found. They told Google about this just to mess with 360 to keep them from getting points for that bug. That’s wild, but this rivalry between Tencent and 360 goes way beyond Pwn2Own. These two companies have been feuding over things for a long time and they’re not just fighting over who’s the Master of Pwn.
DUSTIN: The title comes with a trophy. That’s very important to them as well, and it usually comes with a jacket. We have a lot of fun with the various jackets that we’ve had over the years. We’ve had a smoking jacket. The tenth anniversary, we had a custom bomber jacket made up. It was really cool. This year we have a custom hazmat suit for the Pwn to – Master of Pwn winner. But really, it’s the notoriety that they’re looking for. That title of Master of Pwn, it’s – especially in certain communities, it’s really well-respected.
JACK: [MUSIC] Okay, so this team 360, the same year they were getting blocked by Tencent was the same year VMware made its debut at Pwn2Own. Now, if you aren’t aware, VMware is a way to run multiple virtual servers on one computer. Years ago, you might have one mail server and one domain server and one web server, and each one of these were on their own physical computer in a data center somewhere. But with VMware, there’s now one physical server with many virtual servers inside it, all separated into their own container. They can all share the same hardware resources. It’s important to test VMware for security holes since it runs all these different operating systems. The way Pwn2Own set up the contest was they installed the latest version of Windows, then installed the latest version of VMware workstation, and in that VMware workstation they installed another latest version of Windows. From the virtual Windows computer, they loaded up the Edge browser and went to 360’s website.
BRIAN: That’s all you had to do. At that point, we took our hands off of the computer and watched the exploit work, effectively. What was happening behind the scenes is they were abusing a vulnerability in the browser that would allow them to get an exploit primitive that would allow them to do an out-of-bound write and an out-of-bound read. This would allow them to exploit the browser. Then they started to attack the Windows kernel because the vulnerability in VMware that they needed to access was one that required an escalation of privilege. It needed to be running an escalation to get access to that drive. Once they exploited the [00:35:00] operating system, the guest operating system, they started attacking the VGA driver of VMware workstation.
Once they finished exploiting the VMware VGA driver in VMware, the screen in the guest operating system would resize and then a calculator would pop up. Now, that calculator would normally be in the guest operating system but in this case, that calculator was actually running on the host operating system. They were actually able to get code execution in the browser, then get code execution on the guest operating system, then exploit a vulnerability in VG – in the VGA driver in VMware workstation which would allow them to escape the VMware workstation hypervisor and execute code on the host operating system to completely compromise the actual host operating system.
JACK: Wow, that is so incredible to me. That’s honestly one of the most astounding hacks I’ve ever heard of. You should not be able to take control over a computer by just browsing to a website. That alone is still blowing my mind that teams are able to do that at Pwn2Own practically every year. But then escape out of the virtual computer and get full access to the host computer? That’s just insane because the guest operating system should absolutely have no way to access the host’s operating system. For instance, I’ve seen honeypots ran from within VMs and I’ve seen people using VMs to open malware or phishing e-mails or browse the shady sites because what’s the worst that could happen? The VM could be infected but that’s easy to delete and create a new one. But now, now we see 360 demonstrate that no, it is possible to escape out of a virtual machine and get access to the host computer. That just sends chills through me.
BRIAN: It was crazy to watch and the first time I saw it, I was amazed to see how efficient it was and how amazing the actual exploit was. I remember it took quite a bit of time. It took I think a minute or two to actually pull off because it was a lot of activity going on in the exploit but when it popped calc on the host, everybody cheered and was quite excited to see that actually happen live in front of everybody.
JACK: 360 won $105,000 for demonstrating that attack chain. There’s so many incredible exploits that get demonstrated at Pwn2Own. I’m fascinated by so many. For instance, George Hotz has competed in this and walked away with prize money multiple times. He’s the guy who jailbroke the first iPhone, modified the PlayStation which caused a crazy lawsuit, and is a member of the PPP CTF team which has won like, six black badges at Defcon now and has created a company which develops software for self-driving cars. [MUSIC] There’s another team I think is worth mentioning; it’s called Fluoroacetate.
DUSTIN: Yeah, that’s their team name and it’s actually a pun because it’s based off of a pesticide, so they’re bug-killers.
JACK: It’s made up of two people, Richard Zhu and Amat Cama.
DUSTIN: They’re definitely an interesting pair. Amat is from Senegal and then Richard lives on – in the US.
JACK: Before forming the team, they had both been going to Pwn2Own just as independent researchers. In 2017, Richard Zhu brought an exploit for the Microsoft Edge browser to demonstrate. The Pwn2Own contest organizers used Microsoft Edge to browse to Richard’s server and that’s it; hands off the keyboard. From there, Richard tried to use that session to take over that computer. But something went wrong on his first attempt. The exploit didn’t work. Now, contestants have five minutes to show their exploit and while up there on stage all alone, Richard began typing, fixing his exploit on the timer. He said okay, try again. So, the contest organizers tried again and went to his website. He tried to exploit the browser but it didn’t work again. There was still time on the clock, so Richard went back to troubleshooting, trying to get the exploit to reliably trigger.
BRIAN: I remember his hands were shaking quite a bit as we got closer to the end of the clock.
JACK: Can you imagine? You’re at the yearly Pwn2Own. Everyone is watching to see if you’ve got what it takes and you’re trying to type and debug code live in front of people. It’s gotta be nerve-wracking. But he got something ready and he asked them to try again, and this time it worked. He was able to take control of that session and open a calculator on the computer that went to his web server. He still had 1:37 left on the clock when it was over. He won $70,000 for that exploit. That’s who Richard is. The other guy on this team is Amat.
BRIAN: Amat’s specialty was actually – was baseband exploitation.
JACK: Baseband is a technology that mobile phones use. It’s a type of signal with a specific frequency range. If you think about all the different wireless signals coming in and out of your phone; there’s WiFi of course, there’s Bluetooth and NFC, [00:40:00] and to make calls, it uses baseband.
BRIAN: What he is very good at is actually exploiting the baseband processor in the phones.
JACK: Pwn2Own now has a baseband category for people who want to try to hack phones through this wireless signal. Here’s the scenario; your phone tries to connect to the nearest base station to get a signal from the carrier. But suppose someone pulls up with a van right outside your house and in that van is a rogue base station acting like a carrier cell tower. Well, your phone might connect to that base station. The question is, if it does connect to a rogue cell tower, what could that base station do to your phone? Keep in mind, we’re only talking about the baseband frequency here which is not the same as TCPIP or whatever networking we all might be familiar with. This is what Amat was researching for Pwn2Own.
BRIAN: Well, there’s a protocol that happens between the base station and the actual phone itself for communication purposes. Then usually what ends up happening is Amat will have found a weakness in this – in the implementation of this protocol and he’ll exploit a vulnerability inside of the process – inside of the baseband processor to gain code execution in that part of the phone. Using just stack overflows and some of the more classic vulnerabilities over time, that’s what we’ve seen a lot inside of the baseband processors.
JACK: Okay, so he earns money for that?
BRIAN: Yes, he does. From 2017 to 2019, the Samsung Galaxy was part of the contest and it was actually exploited via baseband three years in a row.
DUSTIN: Each of those was $50,000 plus.
JACK: Wow. I’m just glad that someone is there poking at this stuff. There’s so much technology integrated into our personal and private lives that we don’t even realize is there, and I sure hope it’s all secure. I guess we have Amat to thank for finding vulnerabilities in the way some phones handle the baseband processing and getting that stuff fixed. But anyway, these two guys Richard and Amat were really doing well at Pwn2Own on their own, winning prize money year after year, so they decided to team up and they called themselves Team Fluoroacetate. From there, they just started dominating.
DUSTIN: [MUSIC] Well, they kinda take over Pwn2Own for a couple years. They really compliment each other very well with how they are able to research. Starting at about 2018, they took over Pwn2Own Vancouver as well as Pwn2Own Tokyo and were definitely scoring more points than everyone else. They were bringing a lot of great research to the contest and leaving with a lot of our cash.
JACK: Alright, so Fluoroacetate retrieved a deleted photo from an iPhone?
BRIAN: In this case, what we end up doing at the contest is we – the way that you demonstrate the code execution on a phone is we have SMS messages and photos on the phone that we’ve taken. We usually take silly photos before we put the phone inside of the RF enclosure. There was a year where we actually – we deleted one of the photos from the phone because we did not want it to – it was not something we wanted to show in front of the entire audience. But what ended up happening is they actually exploited a vulnerability in the browser and retrieved the photo archive from the phone. The first photo that they pulled up was actually the photo that we had deleted. It was – didn’t show up on the phone as being actively there but it was clearly there still in the cache. The exploit was actually able to retrieve deleted content from the phone that just hadn’t been removed by the cache yet.
JACK: Everyone was properly shocked by this. The Pwn2Own guys were like, how did they recover a deleted photo? It’s been deleted from the phone. But not only that; again, the simplicity of this is just so stunning to me. Just by going to a malicious website is all the user had to do to get their phone completely taken over. There’s no need for the user to click Install on something or accept any weird pop-up. Just visiting the website was all it took.
DUSTIN: In 2019, we partnered with Tesla to have it – a Model 3 available to hack at Pwn2Own. As part of that, we got different head units from Tesla and we shipped them around the world to various researchers including Richard and Amat.
JACK: Okay, so the head unit is just the electronics inside the car, the infotainment system on the front dashboard, really, because that head unit can basically control the whole car. If you can exploit that, you can pretty much take over the whole car. They shipped these head units out to some of the contestants like Richard and Amat to try to hack into it.
DUSTIN: Amat forgot that Senegal runs its electricity different than California. He plugged it into a 220 outlet when it was set to 110 and it immediately fried the head unit.
JACK: Oh, man. Ouch. But he got a new power brick and he was lucky that was the only [00:45:00] thing that got fried. Once they had the Tesla head unit all back together, they started hacking away at it and they found an exploit. They brought their exploit to the Pwn2Own event where there was a complete Tesla Model 3 in the parking lot. Inside the Tesla on the dashboard is a little computer with a touch screen and everything, and on that is a web browser. From that web browser, they visited Team Fluoroacetate’s website and they were able to exploit that session and take over the Tesla.
DUSTIN: That was enough for them to win a Tesla Model 3.
JACK: Of course they got to keep the car. It’s Pwn2Own. If you pwn it, you own it, remember? Ah, this contest is cool. It really brings out some crazy bugs that should have absolutely been fixed.
DUSTIN: From my perspective, one of the things I like about the contest is it really allows us to guide researchers in specific areas. What usually happens is we’re sitting around just trying to come up with what categories we want to see really cool research in, and then we include that in Pwn2Own. Then hopefully that encourages researchers to do research in that area and then report those bugs. That’s kinda how we came up with the virtualization category, is we just said we want to see VMware bugs and we weren’t getting any in the program. Then we started getting VMware bugs and now we get quite a few, starting with just a couple in 2017. That to me is a great value to the program as well.
BRIAN: Yeah, it’s quite fun. I think from my perspective, I’ve been involved in it – with it now for quite a bit of time and you really get to see the change in the way that the community approaches the problem of exploitation. Back when I first started it was small teams, individuals participating in the program, and then small companies got involved like Vupen where they would actually have a workforce that was developing exploits for the contest and then very large organizations, some of the biggest companies in China participating at a large scale, bringing exploits for every single category, every single target. Then it’s shifting back to the small, individual researchers again. The fact that it is possible to write some of these exploits and research these attack surfaces as an individual I think is important for people to see. Then now, again, we’ve got small teams starting to participate again.
JACK: While Pwn2Own is not really a spectator sport, it’s still an exciting contest. They don’t really show anything to the audience because they need to verify the exploit before giving points and they don’t want other teams to see how it was done. So, there’s not much to see if you go. But what happens in the wires is where the exciting part happens and the people who compete in it, yeah, I’m gonna say this is the big leagues. It’s a place to demonstrate you’re one of the top-tier hackers in the world which brings us back to Pedro and Radek, the two guys you heard at the beginning. Together, they’re known as Team Flashback. I had the chance to talk with them after they won the Masters of Pwn in November, 2020.
PEDRO: Okay, so our team is called Flashback. We just thought it was quite a cool name to have and we just went with it. Also kind of related to hardware hacking which was pretty much what we do, right, is flashing something, you know? Hence, Flashback.
JACK: This is Pedro but I’ve gotta say both Pedro and Radek do sound very similar to me.
PEDRO: So, we met – actually, the way we met was Radek hired me. He hired me as an external consultant for the company he was working at the time. We got along pretty well. Fast forward, we like the same stuff. For example, we like motorbikes, so we’d go on motorbike trips. This was 2018. We decided that we wanted to do something together when we were in one of these motorbike trips. Then the initial idea was for us to provide some training, specialized training in this area. But then this opportunity of Pwn2Own just appeared out of nowhere. I just remember – Radek, I just suggested to him, and from then on it just caught fire, you know? Then we just decided to go for all Pwn2Owns we could.
JACK: Okay, now, hold on a second. It doesn’t work that way because trying to find a zero-day vulnerability in some of the most secure software; I mean, the browsers are working really hard. You’re going against Google engineers here and Microsoft engineers to say we think we can find something that you guys overlooked. What gave you that confidence that you think you can find zero-day vulnerabilities? Have you historically been good at finding these things or why this?
RADEK: As Pedro mentioned, we know each other for some time already. When I hired Pedro for the project that I was doing at work, we team up pretty fast together. We were starting to find vulns in software for Cloud, for network devices. It immediately clicked, our personality, that we can work for – efficient together and [00:50:00] find zero-days or vulns super-fast. Yeah, if you look actually at our history or achievements; so, Pedro has like, I don’t know, what, is it like over 100 RCEs under his name? I always thought I would stay in the shadows so I didn’t publish a lot of vulnerabilities. But I think we had quite a lot of achievements already, this far.
JACK: RCE is remote code execution and yeah, Googling Pedro’s name, I see a bunch of hits of vulnerabilities with his name on them, specifically vulnerabilities which allow him to execute remote commands on a device using an unknown vulnerability. For this team, they’re both professionals in the security field who like looking for vulnerabilities in products.
PEDRO: Yeah, we had some experience. Like you said, we just clicked together and then yeah, we just – it’s a game of perseverance, right? Finding any vulnerability is all about perseverance. I mean, how hard and how deep you want to go and what kind of patience you have ‘cause it really tests your patience.
JACK: What they like poking at most are hardware devices like routers that you would find in your house. These are physical devices, yes, but they have software running on them, too. This combination of how the software interacts with the hardware is where they’re looking for vulnerabilities.
RADEK: For us, the approach is, well, we both work together on the target. We are in different time zones so we can kind of split the work. That works super-good because when I wake up, I got some results from Pedro. Then he takes over and so, I take over. That works pretty good.
JACK: Are you both having a way or trying to do the same kind of thing or is somebody good at networking while the other one’s good at reverse engineering? What are your strong points in – as a team here?
RADEK: We have a lot of overlaps in terms of finding vulns or exploitation but obviously, one each of us had a bit more edge on specific aspects. For instance, I am a little bit better at the hardware side, so taking the VMware from the devices and doing some hardware modification while Pedro is better in writing exploits. While we both could do the same, it’s just way – much faster, efficient, if you focus on the areas that you are better in. Still, when we always work on a target, we always work together. We never like to disconnect the activities. We always go through it together with the the attack vectors, and so on. We always are in sync full-time.
PEDRO: The goal is to always achieve remote code execution. In our jobs, we kinda do a little bit different role because we’re more on the defensive side or offensive, but to try to help companies. We basically catalogue all the vulnerabilities we found. Can be some file disclosure, some unauthenticated download, et cetera. But for Pwn2Own, really, all we care is get control of the device and gain remote code execution by whatever means possible. Sometimes those means can be quite simple in some cases and other times can be very convoluted, very complicated with exploits, chaining five and six exploits into one in order to get this remote code execution.
JACK: [MUSIC] One of the vulnerabilities they found was on a normal off-the-shelf home router. They got one and looked inside at the software and they saw what services were running on this router and started scrutinizing each service to see if any of them had a vulnerability. After a week, they had developed a fully-functional remote code execution. Here’s how that works; these routers sit in our homes, okay? One side is connected to all the computers inside the home and the other side is connected to the internet, your ISP. They found a way to craft a packet in such a way that the router would process it and then execute whatever commands were in that payload.
PEDRO: But in this case was quite tricky because we could only really inject one or two characters at a time. What we did is we basically wrote a file to the operating system by exploiting the vulnerability multiple times, injecting one character at a time until we build the command we wanted, and then we just executed that file. That’s how we got our root shell.
JACK: When they were able to conduct this exploit for the first time, it was quite exciting.
RADEK: Oh yeah, this is the best feeling in the world, you can say. People might think that the more exploits you develop and you have, it’s kind of – get normal but for me at least and I see with Pedro as well, every single time we got the new exploit, a new RCE, it’s just like a fresh, completely new experience. You are super-hyped and super-happy that you finally got it. You feel like you walk elevated and you just don’t want to stop. [00:55:00] That’s the super-big reward.
PEDRO: Yeah, you giggle like a schoolgirl, really.
JACK: This is such a scary exploit. Anyone on the internet who has this exploit can send some packets to your router and get a root shell from that. A root shell means you could do anything you want on that router, including looking at all traffic coming in and out of your home. This is the kind of exploit that governments and mercenary hackers would love to get their hands on. But Team Flashback is not interested in selling their vulnerabilities to people like that.
RADEK: Well, in the first place, we wanted to participate in Pwn2Own, so we were going after the targets which were on the list for Pwn2Own. We were playing by the rules. Of course, we could sell it to the broker or somebody but we believe that was the best way forward for us, to participate in Pwn2Own. Yeah, I think this is a pretty dangerous exploit, especially the one side. The things that NSA or any malicious actor has some capabilities could hack any router of this type, the home router. Actually, two of our exploits were delivering a persistent back door. Once you exploit it, the user is not even aware of the exploit being planted or the back door being planted on your device which actually survives factory reset. It will stay there forever until we hack it back.
JACK: Wow. Okay, yeah, I mean, you want to do Pwn2Own ‘cause you want to prove you’re the Masters of Pwn and the best hackers in the world.
PEDRO: That was our goal, yeah. I mean, it’s all about motivation, right? Our motivation is not money. We can tell you. I’m talking for myself, but I know Radek thinks the same. We could make a lot more money selling this in the gray market.
JACK: You said you’re not motivated by money. What are you motivated by?
PEDRO: I think in my particular case, it’s not as much fame but it’s more like respect. I really love hacking. As I said, I spend all my waking hours doing it, basically. When you love something, you want to be respected by your peers, right? It doesn’t mean that I have to be the best guy ever or that people have to fawn over me. That’s not what I’m looking after. I’m looking for to be respected by the same people that you respect, right? I think everyone in every field, not just the cyber-security, that’s what they really aim for. This is a way to do it. Honestly, obviously money also plays a role but in the end, I got my other job and Radek has got his other job that gives money. The Pwn2Own prizes are not bad at all. Yeah, we could get more in the gray market but it’s just not worth not having the fame and the respect we can get from Pwn2Own.
JACK: Together, Team Flashback has brought eleven working zero-day exploits to three different Pwn2Own events and have taken money home from each event. In the November 2020 Pwn2Own, they won Masters of Pwn.
RADEK: Well, in total, I think it was 50k for 2019 Tokyo.
RADEK: 55. Then 75k for Miami in January. That was industrial control systems hacking. Now, was the 40, Pedro?
PEDRO: 40 plus the bonus, I think.
RADEK: Yeah, plus the bonus; 25k. It was – I don’t know how much. Around…
PEDRO: 200k in a year which is pretty good even if divided by two.
JACK: Wow, you could – yeah, you could live off that.
RADEK: Well, that’s only our side job, you know, for the weekends.
PEDRO: Well, I wish, because it consumes a month, but yeah. But it was worth it. The motivation is not money, right? But it’s always good to also have a bit in your pocket.
JACK: [MUSIC] Now, it’s common to experience something weird when competing at Pwn2Own, and Team Flashback had something weird happen to them, too. In 2020 they brought six working vulnerabilities to the competition but were only able to execute four of them. Two of them were mysteriously patched just days before the event. They don’t know why. Maybe the vendor found it. Maybe another team submitted it ahead of time. Who knows if something shady went on?
PEDRO: Yeah, there’s a lot of dirty tricks in the history of ZDI. This is a well-known thing. From what we heard, unofficially from the ZDI guys, this is quite common or used to be quite [01:00:00] common because there’s a thing – there’s been a shift in the last few years. In the beginning, Pwn2Own was mostly independent researchers and independent teams like us. Then it shifted to company-supported. For example, Tencent and 360, they still – they’re blocked by the Chinese government to participate in Pwn2Own but they have their own Chinese Pwn2Own. If you look, they have amazing results. I mean, let’s be honest, way better than us. But these guys, they’re like basically twenty – the winning team in the Chinese Pwn2Own is here; it had nineteen people. That plus corporate backing, you can’t really beat as an independent. The good side of the Chinese not being allowed to participate in the competition is that we’re back again to independent researchers. I’d say 50/50; you got company teams but they’re a little bit smaller and the rest are independent researchers like myself and Radek.
JACK: Yeah, in 2018, the Chinese government wrote a new policy to discourage security researchers from participating in sharing exploits at foreign hacking competitions like Pwn2Own or even CTFs. I guess they want to keep the exploits within China and not share them. Huh. Oh yeah, CTFs; this is a totally different kind of hacker contest. It’s called Capture the Flag. If you want to know more about this, check out Episode 43 called PPP. Actually, in that episode I said whoever wins Defcon’s Capture the Flag contest can rightly claim to be the best hackers in the world. But I’m starting to think that Pwn2Own is right up there too as being one of the most prestigious hacking events. I’m pretty sure it’s one of the highest-paying hacker contests, too. But like these guys said, there are certainly better hackers out there. They’re just in the shadows. But it makes you think about how precious a zero-day exploit is.
Together, Radek and Pedro have found over 200 zero-day exploits which can do remote code execution while other governments and mercenary hacker groups out there are buying exploits and holding onto them tight, treating them as precious, expensive, top-secret tools. What does that say about hackers who have so many zero-days that have no problem demonstrating them at contests versus hackers who would never share their zero-days with others? I don’t know, actually. But I do get worried sometimes that zero-day hacking tools are sometimes only available for the elite or rich to buy and are used for nefarious reasons. Something like ZDI is out there trying to level that playing field, making those exploits no longer usable because we’re all patching our routers and computers and phones and software and operating systems, right? Because when we apply patches to software, it fixes any vulnerabilities that that vendor knows about, rendering attacks like this useless. Again, I’m urging you; patch your stuff. Guys, how did you celebrate when you won Masters of Pwn?
PEDRO: Well, due to coronavirus, we can’t celebrate together unfortunately, but I guess I got drunk that day. I can tell that.
RADEK: But yeah, it definitely – it is a good feeling. We were aiming for Masters of Pwn. We are super-happy it happened. I’m sure we’re gonna celebrate properly when the coronavirus situation is over and we can meet again. Probably gonna do some motorbike trip and think about the future, what the next project…
PEDRO: Hack some more.
RADEK: …yeah, hack some more stuff.
(OUTRO): [OUTRO MUSIC] A big thank-you to Dustin Childs and Brian Gorenc from the Zero Day Initiative. Thanks for all the contests you put together and the money you’ve paid out for this. It really does help us all stay more secure. 2020 marks the 15th anniversary of ZDI and it’s still going strong and bigger than ever. Can’t wait to see what stories come out in the next fifteen years. Also a big thank-you to Pedro and Radek from Team Flashback. Congrats on the win and good luck in your next contest. If you like this show, if it brings value to you, consider donating to it through Patreon.
When you buy a book or watch a movie, you pay for it before you know if it’s worth money. But I give you this show without any upfront costs or barrier so you can decide if it brings value to you and is worth supporting. Please show your appreciation for the show by visiting patreon.com/darknetdiaries and become a member. Thank you. This show is made by me, the master of nothing, Jack Rhysider. Editing help this episode by the little pony, Damienne, and our theme music is by the Saturn ring-collector, Breakmaster Cylinder. Even though I pour gas on my firewall whenever I really need to stoke that fire inside it, this is Darknet Diaries. [01:05:00]
[OUTRO MUSIC ENDS]
[END OF RECORDING]