A number of operating systems and products, from Windows 10 and iOS 15, to Apple Safari, and Google Chrome, to Microsoft Exchange Server, and Ubuntu 20, were successfully hacked into during China’s Tianfu Cup 2021. What’s even more interesting than the contest itself was the fact that the fourth edition of the international cybersecurity competition saw participants making use of completely original, and largely never-seen-before exploits to break into systems at Chengdu, China.
Nearly All Targets Hacked Successfully
Apart from Chrome, this year’s targets included Apple Safari running on MacBook Pro, Windows 10 21H1, Adobe PDF Reader, Ubuntu 20/CentOS 8, Docker CE, Microsoft Exchange Server 2019, VMware Workstation, Windows 10, Parallels Desktop, VMware ESXi, iPhone 13 Pro that runs on iOS 15, as well as domestic mobile models that run on QEMU VM, Android, ASUS RTAX56U, and Synology DS220j DiskStation.
Interestingly, the Xiaomi Mi 11 smartphone and Synology DS220j NAS, along with an unnamed Chinese electric vehicle, could not be hacked.
The Fourth Edition, with $1.88 Million Up For Grabs
The Tianfu Cup is largely seen as the Chinese version of Pwn2Own, and was started back in 2018 when the country’s government started barring its security researchers from taking part in international hacking contests, citing national security concerns.
The two-day tournament took place this year between October 16 and 17, seeing security researchers winning a total sum of $1.88 million as prize money. Kunlun Lab clinched the top spot, winning $654,500 for demonstrating successful exploits in iOS 15, like a remote core execution flaw in mobile Safari, in 15 seconds flat. The team also pwned Google Chrome, using two bugs to gain “Windows system kernel level privilege.”
Meanwhile, Team PangU, which took home the second prize, won a total of $522,500, in exchange for demonstrating a remote jailbreak in the iOS 15-based iPhone 13 Pro. This is the first time the brand new iPhone model has been cracked at a public forum. The third prize went to the Vulnerability Research Institute (VRI), which won a haul of $392,500.
Helping Uncover Flaws
One good thing that is expected to come out of the competition is security patches to prevent the newly discovered flaws, which will apparently be released by the respective parent companies in the following weeks. This will help prevent any major mishaps owing to the issues in the future.
At the same time though, exact details of the flaws have not been made public, and the firms might as well be required to contact the researchers and analysts in order to find out more about them.
