The Viettel Cybersecurity Team (VCS), comprising young cybersecurity experts from Viettel Group, has been actively competing in the Pwn2Own competition for the past four years. They clinched their first championship this year.
Pwn2Own is a competition where participants are tasked with exploiting previously unknown vulnerabilities in software or consumer electronics devices developed by the world's leading manufacturers.
The competition, which used to be an annual event hosted by the renowned cybersecurity organization Zero Day Initiative, now occurs twice a year.
A race against technological Goliaths
Nguyen Son Hai, the director of VCS, shared with Tuoi Tre (Youth) newspaper that the team achieved its inaugural victory in the SmartTV category at the 2020 Pwn2Own competition.
After securing fifth place in 2021, team Viettel demonstrated remarkable improvement, attaining second place the following year.
This year, Pwn2Own Toronto 2023, held from October 24-27, marked a significant triumph for VCS as they claimed the coveted title of "Master of Pwn" with an impressive 30 points, surpassing the nearest competitor by a substantial margin of 12.75 points.
Participating in the competition meant facing off not only against world-renowned cybersecurity teams but also against leading manufacturers and major tech corporations.
The organizers challenged participants to identify security vulnerabilities in smartphones like Xiaomi 13 Pro, Samsung Galaxy S23, Google Pixel 7, Apple iPhone 14, and printers such as HP Color LaserJet Pro MFP 4301fdw, Canon imageCLASS MF753Cdw, and Lexmark CX331adwe.
Competitors had the daunting task of uncovering previously undetected vulnerabilities in these devices and software programs, presenting their exploitation methods within a tight 30-minute time limit.
Nguyen Hong Quang, a VCS member, highlighted the unique challenge of competing not only with other cybersecurity teams but also with device manufacturers who are eager to rectify vulnerabilities before the competition to maintain consumer trust.
The competition, fiercely contested from start to finish, required teams to contend with the constant risk of manufacturers fixing discovered vulnerabilities before the competition's opening day, rendering their efforts fruitless.
Ngo Anh Huy, a member of the VCS team participating in Pwn2Own Toronto 2023, in a provided photo. |
Ngo Anh Huy, a senior member of the VCS team, recounted the meticulous attention the team paid in shifts leading up to the competition, monitoring the status of known vulnerabilities and vendor fixes.
Pwn2Own Toronto 2023 focused on hardware security vulnerabilities in categories such as smartphones, smart speakers, surveillance systems, network-attached storage device, and office electronic equipment.
Cash prizes ranging from US$30,000 to $100,000, on a scale of 2-10 points, were awarded based on the difficulty of the challenge and the effectiveness of the vulnerability presentation.
The most coveted prize, both in terms of value and points, was in the "mash-up" category. Participants had to initiate the attempt by exploiting the code of a selected router.
Successfully compromising the router allowed them to then compromise another device from the competition network categories, with a $100,000 prize and 10 points at stake.
To clarify, entrants could choose any combination of router and home automation hub, smart speaker, printer, or network storage device during registration.
Preparing for the worst to achieve the best
In anticipation of potential challenges, VCS embarked on a successful journey through individual categories, with devices such as the Xiaomi 13 Pro smartphone, the QNAP TS 464 network storage device, the Canon imageClass MF753Cdw printer, and the Sonos Era 100 smart speaker.
With 20 points secured, their victory seemed imminent, especially considering that the main competitor, Sea Security, trailed with only 17.25 points at the same juncture.
Despite the reduced competitive pressure, members of VCS remained vigilant about the final category, mash-up, which eluded them the previous year due to a point deficit.
Huy recalled, "This time, we faced a disadvantage in the mash-up category during the draw to determine our competition order. Taking the next turn meant potential point deductions if our attempts overlapped with those of other teams."
Last year's unfortunate situation, where VCS fell short by 2.5 points for the championship, served as a lesson.
"This time, we not only focused on exploiting new hidden vulnerabilities but also actively selected ones that are exceptionally challenging to detect and distinct from those pursued by other teams. We also targeted vulnerabilities that might be easy to identify but difficult to exploit, and had several alternative plans," added Huy.
In the end, the VCS team achieved a perfect score of 10/10 points in the mash-up category, securing a total of 30 points and clinching the competition. The second-place team was surpassed by a significant margin of 12.5 points.
Like us on Facebook or follow us on Twitter to get the latest news about Vietnam!