A number of operating systems and products, from Windows 10 and iOS 15 to Apple Safari and Google Chrome, to Microsoft Exchange Server and Ubuntu 20, were successfully hacked during the 2021 Tianfu Cup in China. What could be more interesting than the competition itself was the fact that the fourth edition of the international cybersecurity competition saw entrants use completely original and largely never before seen exploits to break into systems in Chengdu, China. .
Almost all targets successfully hacked
Besides Chrome, this year’s targets included Apple Safari running on MacBook Pro, Windows 10 21H1, Adobe PDF Reader, Ubuntu 20 / CentOS 8, Docker CE, Microsoft Exchange Server 2019, VMware Workstation, Windows 10, Parallels Desktop, VMware ESXi, iPhone 13 Pro which runs on iOS 15, as well as home mobile models which run on QEMU VM, Android, ASUS RTAX56U and Synology DS220j DiskStation.
Interestingly, the Xiaomi Mi 11 smartphone and Synology DS220j NAS, as well as an unnamed Chinese electric vehicle, could not be hacked.
The fourth edition, with $ 1.88 million up for grabs
The Tianfu Cup is widely regarded as the Chinese version of Pwn2Own, and was launched in 2018 when the country’s government began banning its security researchers from participating in international hacking competitions, citing national security concerns.
The two-day tournament was held this year between October 16 and 17, and security researchers took home a total of $ 1.88 million in prizes. Kunlun Lab grabbed the top spot, taking home $ 654,500 for demonstrating successful exploits in iOS 15, such as a remote execution flaw in mobile Safari, in 15 seconds flat. The team also implemented Google Chrome, using two bugs to gain “Windows system kernel-level privilege.”
Meanwhile, the second-prize winning PangU team took home a total of $ 522,500 in exchange for demonstrating a remote jailbreak in the iOS 15-based iPhone 13 Pro. the first time the brand new iPhone model was cracked in a public forum. The third prize went to the Vulnerability Research Institute (VRI), which took home $ 392,500.
Help discover faults
One good thing that should stand out from the competition is security patches to prevent newly discovered vulnerabilities, which will apparently be released by the respective parent companies in the coming weeks. This will prevent any major incident due to the problems in the future.
At the same time, however, exact details of the flaws have not been made public, and companies might as well be required to contact researchers and analysts to learn more about them.