Revealing the Risks: Key Takeaways from Pwn2Own Ireland 2024 on Home and Office Device Security

Pwn2Own Ireland 2024, held in Dublin, was a four-day cybersecurity competition organised by the Zero Day Initiative. During the competition, security researchers attempted to exploit zero-day vulnerabilities in a range of devices commonly found in home and small office environments. The competition awarded over $1,066,625 to researchers for successfully exploiting vulnerabilities in devices across seven categories, including NAS systems, surveillance cameras, printers, smart speakers, mobile phones, home automation hubs, and SOHO networks. The event highlighted the vulnerability of these devices to various attack vectors, underscoring the importance of security updates and best practices for protecting sensitive data. The competition culminated in Viettel Cyber Security winning the โ€œMaster of Pwnโ€ award for their consistent success in exploiting vulnerabilities.

 

Here are the different categories of devices that were targeted in the Pwn2Own Ireland 2024 competition, based on the sources you provided:
โ—Network Attached Storage (NAS): Several attempts were made to exploit vulnerabilities in NAS devices from vendors like QNAP, Synology, and TrueNAS.
โ—Surveillance: Numerous participants targeted vulnerabilities in surveillance cameras from vendors like Lorex and Ubiquiti.
โ—Printers: Attempts were made to exploit vulnerabilities in printers from vendors like Canon, HP, and Lexmark.
โ—Smart Speakers: Participants targeted vulnerabilities in Sonos Era 300 smart speakers.
โ—Mobile Phones: There was an attempt to exploit vulnerabilities in the Samsung Galaxy S24.
โ—SOHO SMASHUP: This unique category involved chaining exploits together to compromise multiple devices in a simulated small office/home office environment. The targeted devices included routers and NAS devices from QNAP, printers from Lexmark, and NAS devices from TrueNAS.
โ—Home Automation Hubs: An attempt was made to exploit an Aeotec Smart Home Hub.
The competition also included a โ€œMaster of Pwnโ€ award given to the team that earned the most points by successfully exploiting vulnerabilities.
In addition to these categories, the sources mention attempts to exploit vulnerabilities in routers from Synology. However, itโ€™s unclear whether โ€œRoutersโ€ is a distinct category or falls under the broader category of โ€œSOHO SMASHUPโ€.

 

 

QNAP Vulnerabilities at Pwn2Own Ireland 2024

The recent Pwn2Own Ireland 2024 hacking competition revealed a series of successful exploits targeting QNAP network-attached storage (NAS) devices. These exploits underscore the potential security risks associated with these devices and the importance of robust security practices.

Hereโ€™s a detailed look at the QNAP exploits:

Day One

  • SOHO SMASHUPs: Two teams achieved a โ€œSOHO SMASHUP,โ€ successfully chaining vulnerabilities across multiple devices in a simulated small office/home office network. Both attacks exploited a QNAP QHora-322 as the initial entry point:
    • Sina Kheirkhah of Summoning Team used a chain of nine different bugs to compromise the QNAP QHora-322 and then pivot to a TrueNAS Mini X NAS device, earning him $100,000 and 10 Master of Pwn points.
    • The Viettel Cyber Security team also achieved a SOHO SMASHUP, compromising a QNAP QHora-322 and then a TrueNAS Mini X device, earning them $50,000 and 10 Master of Pwn points. Their attack chain leveraged SQL injection vulnerabilities and issues related to missing authentication and exposed functions, allowing unauthorized access to sensitive functionalities or data.
  • QNAP TS-464: ExLuck successfully exploited a QNAP TS-464 NAS device using a chain of four vulnerabilities, earning $40,000 and 4 Master of Pwn points. Two vulnerabilities were identified: an improper certificate verification vulnerability and a hardcoded cryptographic key, both of which could allow attackers to intercept communications or decrypt protected data.

Day Two

  • QNAP TS-464: Two teams exploited the QNAP TS-464 NAS device on the second day:
    • Chris Anastasio and Fabius Watson of Team Cluck used two bugs, including a CRLF injection vulnerability, to successfully exploit the device, earning $20,000 and 4 Master of Pwn points. CRLF injection allows attackers to manipulate server responses or inject malicious code.
    • YingMuo, with the DEVCORE Internship Program, earned $20,000 and 4 Master of Pwn points for an exploit involving argument injection and SQL injection vulnerabilities, which could lead to the execution of unintended commands.

Day Three

  • QNAP QHora-322: PHP Hooligans / Midnight Blue achieved a SOHO SMASHUP by chaining an out-of-bounds write vulnerability and a memory corruption bug to compromise a QNAP QHora-322 and pivot to a Lexmark printer, earning $25,000 and 10 Master of Pwn points. These vulnerabilities allow attackers to write data beyond intended memory bounds and disrupt program operations.
  • QNAP TS-464: Ha The Long and Ha Anh Hoang of Viettel Cyber Security exploited a QNAP TS-464 NAS device using a single command injection vulnerability, earning $10,000 and 4 Master of Pwn points.

Day Four

  • QNAP QHora-322: Chris Anastasio and Fabius Watson of Team Cluck achieved a partial SOHO SMASHUP, chaining together six vulnerabilities to compromise a QNAP QHora-322 and then a Lexmark CX331adwe printer. Although one of the bugs had been previously exploited, they earned $23,000 and 9.25 Master of Pwn points.

The successful exploits targeting QNAP devices during Pwn2Own Ireland 2024 highlight the range of vulnerabilities that can exist in these devices, from improper certificate verification to SQL injection and command injection vulnerabilities. This event reinforces the need for users to maintain a proactive security posture, ensuring their QNAP devices are updated with the latest security patches and following best practices to mitigate these risks.

 

 

 

 

 

Synology Hacks at Pwn2Own Ireland 2024

The Pwn2Own Ireland 2024 hacking competition revealed multiple successful exploits targeting Synology devices, highlighting potential vulnerabilities and the critical need for rigorous security measures and timely updates.

Day One

  • Synology TC500: The Viettel Cyber Security team exploited a Synology TC500 surveillance camera using a heap-based buffer overflow, which allowed them to overwrite memory with malicious code, potentially taking control of the device. They earned $30,000 and 3 Master of Pwn points.
  • Synology DiskStation DS1823xs+: Ryan Emmons and Stephen Fewer of Rapid7 exploited a โ€œImproper Neutralization of Argument Delimitersโ€ bug on a Synology DiskStation DS1823xs+, which allowed them to inject malicious commands. They earned $40,000 and 4 Master of Pwn points and noted this vulnerability affected other Synology devices. Later, Jack Dates of RET2 Systems exploited the same model using an out-of-bounds write vulnerability, earning $20,000 and 4 Master of Pwn points.

Day Two

  • Synology BeeStation BST150-4T: PHP Hooligans / Midnight Blue exploited a command injection bug on a Synology BeeStation BST150-4T, allowing them to inject and execute commands. They earned $40,000 and 4 Master of Pwn points. Synacktiv also exploited this device using a previously demonstrated vulnerability, earning points and a cash prize, though marked as a โ€œcollisionโ€ since the vulnerability was already known.
  • Synology DiskStation: Chris Anastasio and Fabius Watson of Team Cluck exploited a Synology DiskStation using an โ€œImproper Certificate Validationโ€ bug, which could let attackers impersonate legitimate entities. This earned them $20,000 and 4 Master of Pwn points.

Day Three

  • Synology BeeStation: Pumpkin Chang and Orange Tsai from the DEVCORE Research Team exploited a Synology BeeStation using a combination of CRLF injection, authentication bypass, and SQL injection, gaining complete control over the device. They earned $20,000 and 4 Master of Pwn points. Team Smoking Barrels exploited the same device using an โ€œunprotected primary channelโ€ vulnerability, earning $10,000 and 4 Master of Pwn points.

These Synology exploits at Pwn2Own Ireland 2024 illustrate a variety of vulnerabilities, from software bugs to insecure configurations. The event emphasizes the importance of securing Synology devices with the latest updates and vigilant security practices to protect against these risks.

 

 

TrueNAS Exploits at Pwn2Own Ireland 2024

The Pwn2Own Ireland 2024 competition showcased several successful exploits targeting TrueNAS devices, underscoring the importance of timely patching and robust security practices for network-attached storage solutions.

Breakdown of TrueNAS Exploits

Day One

  • SOHO SMASHUPs: Two teams achieved SOHO SMASHUPs involving TrueNAS Mini X devices:
    • Summoning Team: Sina Kheirkhah successfully exploited a QNAP QHora-322 router, then pivoted to a TrueNAS Mini X.
    • Viettel Cyber Security: This team used the same device combination for their SOHO SMASHUP, exploiting the QNAP QHora-322 router and pivoting to a TrueNAS Mini X.

Day Three

  • SOHO SMASHUP by Computest Sector 7: Daan Keuper, Thijs Alkemade, and Khaled Nassar achieved another SOHO SMASHUP, using four vulnerabilities to exploit both a QNAP QHora-322 router and a TrueNAS Mini X. The sources do not detail if any of these vulnerabilities overlapped with those exploited on Day One.

Day Four

  • TrueNAS X Exploit: Team Smoking Barrels successfully exploited a TrueNAS X device using two vulnerabilities already documented earlier in the competition.
  • Repeated Exploit of TrueNAS Mini X: Viettel Cyber Security team once again exploited a TrueNAS Mini X, using two previously identified vulnerabilities.

These repeated exploits emphasize the need for consistent patching and security vigilance for TrueNAS and other NAS devices.

Brand Vulnerabilities at Pwn2Own Ireland 2024: A Comparative Table
While the sources donโ€™t provide a complete inventory of every vulnerability exploited during Pwn2Own Ireland 2024, itโ€™s possible to compile a table comparing the vulnerability types associated with each brand based on the available information.
Itโ€™s important to note that the absence of a specific vulnerability type in the table below does not definitively mean that the brand was not susceptible to that type of attack. The sources primarily focus on the successful exploits and donโ€™t provide an exhaustive analysis of all potential vulnerabilities.
Vulnerability Type
Synology
QNAP
TrueNAS
Other Brands
Argument Injection
โœ“
Authentication Bypass
โœ“
โœ“
Command Injection
โœ“
โœ“
โœ“
CRLF Injection
โœ“
โœ“
Cryptographic Key (Hardcoded)
โœ“
Heap-Based Buffer Overflow
โœ“
โœ“
โœ“
Improper Certificate Validation
โœ“
โœ“
Improper Neutralization of Argument Delimiters
โœ“
Improper Verification of Cryptographic Signature
โœ“
Memory Corruption
โœ“
Missing Authentication
โœ“
Out-of-Bounds Write
โœ“
โœ“
โœ“
Path Traversal
โœ“
โœ“
โœ“
SQL Injection
โœ“
โœ“
Stack-Based Buffer Overflow
โœ“
โœ“
โœ“
Type Confusion
โœ“
Unprotected Primary Channel
โœ“
Untrusted Pointer Dereference
โœ“
Use-After-Free (UAF)
โœ“
Key Observations:
โ—
Prevalence of Web Application Vulnerabilities: Many of the vulnerabilities listed, such as SQL injection, command injection, and CRLF injection, are commonly associated with web applications. This suggests that web interfaces of NAS devices and other network-connected devices are often vulnerable attack vectors.
โ—
Memory Corruption Issues: Heap-based buffer overflows, stack-based buffer overflows, out-of-bounds writes, and use-after-free vulnerabilities all fall under the category of memory corruption issues. These vulnerabilities can be particularly dangerous, as they can potentially allow attackers to execute arbitrary code on the affected system.
โ—
Importance of Secure Configuration and Authentication: Vulnerabilities related to missing authentication, exposed functions, and improper certificate validation highlight the importance of secure configuration and strong authentication mechanisms to prevent unauthorised access and exploitation.
โ—
Value of SOHO SMASHUPs: The prevalence of successful SOHO SMASHUPs at the competition emphasises how attackers can chain vulnerabilities across multiple devices in a network to achieve broader compromise. This highlights the need for comprehensive security assessments that consider the interconnectedness of devices within a network.
By examining the types of vulnerabilities exploited at Pwn2Own, manufacturers, security researchers, and users can gain valuable insights into the current threat landscape and prioritise efforts to mitigate these risks.
Vulnerability Types Ranked by Successful Exploits at Pwn2Own Ireland 2024
Based on the information provided in the sources, here is a table listing the vulnerability types that were successfully exploited during Pwn2Own Ireland 2024, sorted by the number of confirmed successful exploits in descending order:
Vulnerability Type
Successful Exploits
Stack-Based Buffer Overflow
8
Command Injection
5
Out-of-Bounds Write
3
SQL Injection
3
Heap-Based Buffer Overflow
2
CRLF Injection
2
Use-After-Free (UAF)
1
Argument Injection
1
Improper Certificate Validation
1
Improper Neutralization of Argument Delimiters
1
Improper Verification of Cryptographic Signature
1
Unprotected Primary Channel
1
Untrusted Pointer Dereference
1
Missing Authentication
1
Hardcoded Cryptographic Key
1
Path Traversal
1
Authentication Bypass
1
Memory Corruption
1
Key Insights:
โ—
Stack-Based Buffer Overflow Dominance: The table highlights that the most frequently exploited vulnerability type was stack-based buffer overflow, accounting for 8 successful exploits during the competition. This vulnerability allows attackers to overwrite data on the system stack, potentially leading to arbitrary code execution. The prevalence of this vulnerability underscores the need for robust input validation and secure coding practices to prevent buffer overflow attacks.
โ—
Command Injection as a Key Attack Vector: Command Injection emerged as the second most commonly exploited vulnerability type, with 5 successful exploits. This vulnerability allows attackers to inject malicious commands into a vulnerable application, potentially gaining control of the underlying system. Secure input handling and sanitization are crucial to prevent command injection attacks.
โ—
Web Application Vulnerabilities Remain Prevalent: Beyond command injection, other vulnerabilities commonly associated with web applications, such as SQL injection (3 successful exploits) and CRLF injection (2 successful exploits), were also effectively exploited during Pwn2Own. This highlights the importance of securing web interfaces, especially in network-connected devices like NAS systems and routers.
โ—
Diversity of Exploited Vulnerabilities: While certain vulnerability types were more frequently exploited than others, the table showcases a diverse range of vulnerabilities that attackers successfully leveraged. This underscores the complexity of the modern cybersecurity landscape and the need for comprehensive security approaches that address a wide spectrum of potential vulnerabilities.
Analysing Successful Hacks at Pwn2Own Ireland 2024
The sources document the outcomes of various hacking attempts at Pwn2Own Ireland 2024, categorising them as either โ€œSUCCESSโ€ (a complete exploit), โ€œCOLLISIONโ€ (a successful exploit using a vulnerability previously demonstrated in the competition), or โ€œFAILURE.โ€ The sources donโ€™t explicitly break down the specific vulnerabilities used in each successful hack, particularly for the SOHO SMASHUP attempts, which chain vulnerabilities across multiple devices. Therefore, itโ€™s not possible to generate a table that definitively shows the number of successful hacks for each specific vulnerability type across all brands.
However, the sources do provide enough information to identify the most commonly exploited vulnerability types:
โ—
Stack-Based Buffer Overflow: This vulnerability, which allows attackers to overwrite data on the system stack, leading to potential code execution, was successfully used in numerous exploits throughout the competition.
โ—
Command Injection: This vulnerability allows attackers to inject and execute arbitrary commands on the affected system and was also a recurring theme in successful exploits.
โ—
SQL Injection: Successful attacks leveraging SQL injection, which allows for manipulating database queries to potentially gain unauthorised access or execute malicious code, were also documented.
The sources frequently mention additional vulnerability types, such as heap-based buffer overflows, out-of-bounds writes, and use-after-free vulnerabilities, but they often lack specific details about how many successful exploits relied on each of these types.
Hereโ€™s a summary of the overall successful hacks, including collisions, based on the information available in the sources:
โ—
Day One: A total of 12 hacking attempts were made, resulting in 8 successful exploits. Two of these were SOHO SMASHUPs, while the remaining six targeted individual devices.
โ—
Day Two: The sources state that 15 attempts were made on Day Two, but only document the outcomes of 14. Of these 14 attempts, 9 were successful, including one SOHO SMASHUP.
โ—
Day Three: A total of 10 attempts were made, resulting in 8 successful exploits. Three of these were SOHO SMASHUPs.
โ—
Day Four: Only 4 hacking attempts are documented for Day Four, with 3 successful exploits, including two that resulted in collisions.
Across all four days of Pwn2Own Ireland 2024, a total of over 70 zero-day vulnerabilities were exploited, resulting in a total payout of $1,066,625

The recent exploits demonstrated at Pwn2Own Ireland 2024 expose several vulnerabilities that pose significant risks to home NAS users, highlighting the critical need for heightened security measures. Hereโ€™s a closer look at the risks and protective steps home users should consider:

Key Exploits Affecting Home NAS Users

  • SOHO SMASHUP Exploits: These attacks, aimed at small office/home office (SOHO) environments, chained vulnerabilities across multiple devices, including NAS systems. Successful SOHO SMASHUPs could give attackers complete control over a NAS and other connected devices.
  • QNAP NAS Exploits: QNAP NAS devices were compromised using several techniques, including command injection, improper certificate validation, SQL injection, hardcoded cryptographic keys, and missing authentication. These vulnerabilities allowed attackers to access data, install malware, or disrupt functionality.
  • Synology NAS Exploits: Synology NAS devices faced multiple attacks, with exploits such as command injection, improper neutralization of argument delimiters, and out-of-bounds writes. Such vulnerabilities could compromise data security and device integrity for Synology users.
  • TrueNAS Exploits: Although less frequently targeted, TrueNAS devices were also exploited. Successful SOHO SMASHUPs involving TrueNAS demonstrate that attackers regard these devices as valuable entry points within home networks.

Impact on Home NAS Users

The successful exploitation of these vulnerabilities could lead to serious consequences:

  • Data Breaches: Attackers could steal sensitive information, including personal documents, financial data, and family photos stored on the NAS.
  • Malware Infections: A compromised NAS can spread malware to other devices on the same network.
  • Ransomware Attacks: Attackers could encrypt NAS data, demanding ransom payments to unlock it.
  • Data Loss: Attackers may delete or corrupt data, resulting in permanent loss if no backup is available.
  • Device Takeover: A compromised NAS could serve as a launching point for attacks on other connected devices or networks.

Mitigation Strategies for Home Users

To reduce risks associated with NAS-targeted attacks, home users should consider the following practices:

  1. Update Regularly: Ensure NAS operating systems and firmware are updated consistently to apply the latest security patches.
  2. Enable Strong Authentication: Use strong, unique passwords and enable two-factor authentication (2FA) where available.
  3. Restrict Network Access: Limit NAS access to trusted devices and networks only, utilizing the NAS firewall to control access.
  4. Disable Unnecessary Services: Turn off any services or applications on the NAS that are not actively used to minimize attack surfaces.
  5. Back Up Data Regularly: Store backups in a separate, secure location, such as an external hard drive or a cloud service, to safeguard against data loss or ransomware attacks.

By following these steps, home users can greatly reduce their vulnerability to NAS-targeted attacks, protecting both their devices and data from potential exploitation.

Closing Thoughts on Pwn2Own Ireland 2024

The Pwn2Own Ireland 2024 competition in Dublin was a remarkable showcase of the evolving cybersecurity landscape, particularly concerning devices commonly found in home and small office setups. Organized by the Zero Day Initiative, this event brought together top security researchers to uncover and exploit zero-day vulnerabilities in NAS systems, surveillance cameras, routers, printers, smart speakers, mobile phones, and home automation hubs. The competition awarded over $1 million, reflecting the critical importance of identifying and addressing these vulnerabilities.

The event highlighted several key takeaways:

  • Rising Vulnerability in Everyday Devices: With the rapid adoption of network-connected devices, even everyday home equipment can present serious security risks if not properly safeguarded. The prevalence of successful attacks on NAS devices, smart hubs, and routers underscores the need for a vigilant approach to home network security.
  • Complex Attacks Like SOHO SMASHUPs: The SOHO SMASHUP category, where attackers combined vulnerabilities across multiple devices, demonstrated how interconnected environments can be exploited for maximum impact. These attacks emphasize the importance of holistic security measures that consider network-wide configurations.
  • Variety of Exploits Used: From command injections to heap-based buffer overflows, the variety of exploited vulnerabilities illustrated the broad attack surface these devices present. This diversity highlights the need for device manufacturers to implement rigorous security practices throughout the development process.
  • Timely Updates and User Awareness: The success of these exploits also reflects the necessity for regular software updates and security patches. For home users, adopting strong authentication measures, restricting network access, and routinely backing up data are essential steps to mitigate potential risks.

Ultimately, the insights gained from Pwn2Own Ireland 2024 provide invaluable information for device manufacturers, security professionals, and everyday users. Events like these encourage continuous improvements in device security, reinforcing the importance of staying one step ahead in the face of an ever-evolving cybersecurity landscape. As Viettel Cyber Security earned the โ€œMaster of Pwnโ€ title for their consistent success, this event serves as a call to action for everyone involved in the digital ecosystem to prioritize security, ensuring that connected devices remain safe and resilient against threats.



If you like this service, please consider supporting us.
We use affiliate links on the blog allowing NAScompares information and advice service to be free of charge to you. Anything you purchase on the day you click on our links will generate a small commission which is used to run the website. Here is a link for Amazon and B&H. You can also get me a โ˜• Ko-fi or old school Paypal. Thanks! To find out more about how to support this advice service check HERE   If you need to fix or configure a NAS, check Fiver   Have you thought about helping others with your knowledge? Find Instructions Here  

โ˜• WE LOVE COFFEE โ˜•

Or support us by using our affiliate links on Amazon UK and Amazon US
     

locked content ko-fi subscribe

DISCUSS with others your opinion about this subject.
ASK questions to NAS community
SHARE more details what you have found on this subject
CONTRIBUTE with your own article or review. Click HERE
IMPROVE this niche ecosystem, let us know what to change/fix on this site
EARN KO-FI Share your knowledge with others and get paid for it! Click HERE

ASK YOUR QUESTIONS HERE!