China hosted the largest national hackathon Tianfu Cup – a competition of teams of experts on attacks on information infrastructure. Using previously unknown vulnerabilities, participants were able to hack virtually all the most advanced software products.
The winner received $744,500 for successful attacks on Google Chrome and Mozilla Firefox browsers, as well as for hacking the iOS operating systems (iOS) running the iPhone 11 Pro and Microsoft Windows 10 2004 running on the Surface Pro 5. Members of 360 Enterprise Security and Government and (ESG) Vulnerability Research Institute work for the Chinese Internet security company Qihoo 360. In total, this team took two-thirds of the total prize pool, which was 1.2 million dollars.
Qihoo 360 employees were also able to hack the corporate virtualization software VMWare EXSi, Adobe Reader (2 successful attacks), SamsungGalaxy S20 smartphone running Android 10, software environment of emulation of QEMU and Ubuntu 20. To top it all off, they easily took control of the TP-Link WDR7660 router.
Other participants also distinguished themselves – under their onslaught, the Safari browser, the Docker enterprise software management suite and the ASUS AX86U router “fell”. In addition, not only Qihoo 360 specialists successfully coped with the breach of the above software. Most targets were attacked more than once.
For example, the iPhone 11 was jailbroken in two ways, just like the Galaxy S20. And the document viewer in PDF format from Adobe made a difference – five successful attacks were made on it. A comparable number of new vulnerabilities were found only in the TP-Link router: 4 pieces.
It is noteworthy that the organizers of the hackathon chose a few more goals as disciplines of the competition, but the participants left some of them unattended. Microsoft Edge browser, VMware Workstation custom package and Exchange Server 2019 system could bring teams another 380,000 dollars. But for some reason they did not spend their energy. Perhaps these software products are not of much interest to cybercriminals, or perhaps there is simply no time left for them within the framework of the competition.
In total, 11 out of 16 targets were achieved, and the most common applications and operating systems were successfully attacked. It goes without saying that the developers of each software product received detailed information about all identified vulnerabilities.
The Tianfu Cup hackathon has been held since 2018. It was organized after the Communist Party banned Chinese cybersecurity specialists from participating in overseas professional competitions. In terms of its principles, this competition is similar to one of the most prestigious hacker championships – Pwn2Own. Participants are given a goal, for example, to execute code with certain privileges on the attacked device. They must find a previously unknown vulnerability and implement it. For the successful completion of the task, points are awarded, and then cash prizes. All identified software errors must be reported to the software creators.
