Pwn2Own Ireland 2024, held in Dublin, was a four-day cybersecurity competition organised by the Zero Day Initiative. During the competition, security researchers attempted to exploit zero-day vulnerabilities in a range of devices commonly found in home and small office environments. The competition awarded over $1,066,625 to researchers for successfully exploiting vulnerabilities in devices across seven categories, including NAS systems, surveillance cameras, printers, smart speakers, mobile phones, home automation hubs, and SOHO networks. The event highlighted the vulnerability of these devices to various attack vectors, underscoring the importance of security updates and best practices for protecting sensitive data. The competition culminated in Viettel Cyber Security winning the โMaster of Pwnโ award for their consistent success in exploiting vulnerabilities.
Here are the different categories of devices that were targeted in the Pwn2Own Ireland 2024 competition, based on the sources you provided:
โNetwork Attached Storage (NAS): Several attempts were made to exploit vulnerabilities in NAS devices from vendors like QNAP, Synology, and TrueNAS.
โSurveillance: Numerous participants targeted vulnerabilities in surveillance cameras from vendors like Lorex and Ubiquiti.
โPrinters: Attempts were made to exploit vulnerabilities in printers from vendors like Canon, HP, and Lexmark.
โSmart Speakers: Participants targeted vulnerabilities in Sonos Era 300 smart speakers.
โMobile Phones: There was an attempt to exploit vulnerabilities in the Samsung Galaxy S24.
โSOHO SMASHUP: This unique category involved chaining exploits together to compromise multiple devices in a simulated small office/home office environment. The targeted devices included routers and NAS devices from QNAP, printers from Lexmark, and NAS devices from TrueNAS.
โHome Automation Hubs: An attempt was made to exploit an Aeotec Smart Home Hub.
The competition also included a โMaster of Pwnโ award given to the team that earned the most points by successfully exploiting vulnerabilities.
In addition to these categories, the sources mention attempts to exploit vulnerabilities in routers from Synology. However, itโs unclear whether โRoutersโ is a distinct category or falls under the broader category of โSOHO SMASHUPโ.
The recent Pwn2Own Ireland 2024 hacking competition revealed a series of successful exploits targeting QNAP network-attached storage (NAS) devices. These exploits underscore the potential security risks associated with these devices and the importance of robust security practices.
Hereโs a detailed look at the QNAP exploits:
Day One
- SOHO SMASHUPs: Two teams achieved a โSOHO SMASHUP,โ successfully chaining vulnerabilities across multiple devices in a simulated small office/home office network. Both attacks exploited a QNAP QHora-322 as the initial entry point:
- Sina Kheirkhah of Summoning Team used a chain of nine different bugs to compromise the QNAP QHora-322 and then pivot to a TrueNAS Mini X NAS device, earning him $100,000 and 10 Master of Pwn points.
- The Viettel Cyber Security team also achieved a SOHO SMASHUP, compromising a QNAP QHora-322 and then a TrueNAS Mini X device, earning them $50,000 and 10 Master of Pwn points. Their attack chain leveraged SQL injection vulnerabilities and issues related to missing authentication and exposed functions, allowing unauthorized access to sensitive functionalities or data.
- QNAP TS-464: ExLuck successfully exploited a QNAP TS-464 NAS device using a chain of four vulnerabilities, earning $40,000 and 4 Master of Pwn points. Two vulnerabilities were identified: an improper certificate verification vulnerability and a hardcoded cryptographic key, both of which could allow attackers to intercept communications or decrypt protected data.
Day Two
- QNAP TS-464: Two teams exploited the QNAP TS-464 NAS device on the second day:
- Chris Anastasio and Fabius Watson of Team Cluck used two bugs, including a CRLF injection vulnerability, to successfully exploit the device, earning $20,000 and 4 Master of Pwn points. CRLF injection allows attackers to manipulate server responses or inject malicious code.
- YingMuo, with the DEVCORE Internship Program, earned $20,000 and 4 Master of Pwn points for an exploit involving argument injection and SQL injection vulnerabilities, which could lead to the execution of unintended commands.
Day Three
- QNAP QHora-322: PHP Hooligans / Midnight Blue achieved a SOHO SMASHUP by chaining an out-of-bounds write vulnerability and a memory corruption bug to compromise a QNAP QHora-322 and pivot to a Lexmark printer, earning $25,000 and 10 Master of Pwn points. These vulnerabilities allow attackers to write data beyond intended memory bounds and disrupt program operations.
- QNAP TS-464: Ha The Long and Ha Anh Hoang of Viettel Cyber Security exploited a QNAP TS-464 NAS device using a single command injection vulnerability, earning $10,000 and 4 Master of Pwn points.
Day Four
- QNAP QHora-322: Chris Anastasio and Fabius Watson of Team Cluck achieved a partial SOHO SMASHUP, chaining together six vulnerabilities to compromise a QNAP QHora-322 and then a Lexmark CX331adwe printer. Although one of the bugs had been previously exploited, they earned $23,000 and 9.25 Master of Pwn points.
The successful exploits targeting QNAP devices during Pwn2Own Ireland 2024 highlight the range of vulnerabilities that can exist in these devices, from improper certificate verification to SQL injection and command injection vulnerabilities. This event reinforces the need for users to maintain a proactive security posture, ensuring their QNAP devices are updated with the latest security patches and following best practices to mitigate these risks.
The Pwn2Own Ireland 2024 hacking competition revealed multiple successful exploits targeting Synology devices, highlighting potential vulnerabilities and the critical need for rigorous security measures and timely updates.
Day One
- Synology TC500: The Viettel Cyber Security team exploited a Synology TC500 surveillance camera using a heap-based buffer overflow, which allowed them to overwrite memory with malicious code, potentially taking control of the device. They earned $30,000 and 3 Master of Pwn points.
- Synology DiskStation DS1823xs+: Ryan Emmons and Stephen Fewer of Rapid7 exploited a โImproper Neutralization of Argument Delimitersโ bug on a Synology DiskStation DS1823xs+, which allowed them to inject malicious commands. They earned $40,000 and 4 Master of Pwn points and noted this vulnerability affected other Synology devices. Later, Jack Dates of RET2 Systems exploited the same model using an out-of-bounds write vulnerability, earning $20,000 and 4 Master of Pwn points.
Day Two
- Synology BeeStation BST150-4T: PHP Hooligans / Midnight Blue exploited a command injection bug on a Synology BeeStation BST150-4T, allowing them to inject and execute commands. They earned $40,000 and 4 Master of Pwn points. Synacktiv also exploited this device using a previously demonstrated vulnerability, earning points and a cash prize, though marked as a โcollisionโ since the vulnerability was already known.
- Synology DiskStation: Chris Anastasio and Fabius Watson of Team Cluck exploited a Synology DiskStation using an โImproper Certificate Validationโ bug, which could let attackers impersonate legitimate entities. This earned them $20,000 and 4 Master of Pwn points.
Day Three
- Synology BeeStation: Pumpkin Chang and Orange Tsai from the DEVCORE Research Team exploited a Synology BeeStation using a combination of CRLF injection, authentication bypass, and SQL injection, gaining complete control over the device. They earned $20,000 and 4 Master of Pwn points. Team Smoking Barrels exploited the same device using an โunprotected primary channelโ vulnerability, earning $10,000 and 4 Master of Pwn points.
These Synology exploits at Pwn2Own Ireland 2024 illustrate a variety of vulnerabilities, from software bugs to insecure configurations. The event emphasizes the importance of securing Synology devices with the latest updates and vigilant security practices to protect against these risks.
The Pwn2Own Ireland 2024 competition showcased several successful exploits targeting TrueNAS devices, underscoring the importance of timely patching and robust security practices for network-attached storage solutions.
Breakdown of TrueNAS Exploits
Day One
- SOHO SMASHUPs: Two teams achieved SOHO SMASHUPs involving TrueNAS Mini X devices:
- Summoning Team: Sina Kheirkhah successfully exploited a QNAP QHora-322 router, then pivoted to a TrueNAS Mini X.
- Viettel Cyber Security: This team used the same device combination for their SOHO SMASHUP, exploiting the QNAP QHora-322 router and pivoting to a TrueNAS Mini X.
Day Three
- SOHO SMASHUP by Computest Sector 7: Daan Keuper, Thijs Alkemade, and Khaled Nassar achieved another SOHO SMASHUP, using four vulnerabilities to exploit both a QNAP QHora-322 router and a TrueNAS Mini X. The sources do not detail if any of these vulnerabilities overlapped with those exploited on Day One.
Day Four
- TrueNAS X Exploit: Team Smoking Barrels successfully exploited a TrueNAS X device using two vulnerabilities already documented earlier in the competition.
- Repeated Exploit of TrueNAS Mini X: Viettel Cyber Security team once again exploited a TrueNAS Mini X, using two previously identified vulnerabilities.
These repeated exploits emphasize the need for consistent patching and security vigilance for TrueNAS and other NAS devices.
Vulnerability Type
|
Synology
|
QNAP
|
TrueNAS
|
Other Brands
|
Argument Injection
|
โ
|
|||
Authentication Bypass
|
โ
|
โ
|
||
Command Injection
|
โ
|
โ
|
โ
|
|
CRLF Injection
|
โ
|
โ
|
||
Cryptographic Key (Hardcoded)
|
โ
|
|||
Heap-Based Buffer Overflow
|
โ
|
โ
|
โ
|
|
Improper Certificate Validation
|
โ
|
โ
|
||
Improper Neutralization of Argument Delimiters
|
โ
|
|||
Improper Verification of Cryptographic Signature
|
โ
|
|||
Memory Corruption
|
โ
|
|||
Missing Authentication
|
โ
|
|||
Out-of-Bounds Write
|
โ
|
โ
|
โ
|
|
Path Traversal
|
โ
|
โ
|
โ
|
|
SQL Injection
|
โ
|
โ
|
||
Stack-Based Buffer Overflow
|
โ
|
โ
|
โ
|
|
Type Confusion
|
โ
|
|||
Unprotected Primary Channel
|
โ
|
|||
Untrusted Pointer Dereference
|
โ
|
|||
Use-After-Free (UAF)
|
โ
|
Vulnerability Type
|
Successful Exploits
|
Stack-Based Buffer Overflow
|
8
|
Command Injection
|
5
|
Out-of-Bounds Write
|
3
|
SQL Injection
|
3
|
Heap-Based Buffer Overflow
|
2
|
CRLF Injection
|
2
|
Use-After-Free (UAF)
|
1
|
Argument Injection
|
1
|
Improper Certificate Validation
|
1
|
Improper Neutralization of Argument Delimiters
|
1
|
Improper Verification of Cryptographic Signature
|
1
|
Unprotected Primary Channel
|
1
|
Untrusted Pointer Dereference
|
1
|
Missing Authentication
|
1
|
Hardcoded Cryptographic Key
|
1
|
Path Traversal
|
1
|
Authentication Bypass
|
1
|
Memory Corruption
|
1
|
The recent exploits demonstrated at Pwn2Own Ireland 2024 expose several vulnerabilities that pose significant risks to home NAS users, highlighting the critical need for heightened security measures. Hereโs a closer look at the risks and protective steps home users should consider:
Key Exploits Affecting Home NAS Users
- SOHO SMASHUP Exploits: These attacks, aimed at small office/home office (SOHO) environments, chained vulnerabilities across multiple devices, including NAS systems. Successful SOHO SMASHUPs could give attackers complete control over a NAS and other connected devices.
- QNAP NAS Exploits: QNAP NAS devices were compromised using several techniques, including command injection, improper certificate validation, SQL injection, hardcoded cryptographic keys, and missing authentication. These vulnerabilities allowed attackers to access data, install malware, or disrupt functionality.
- Synology NAS Exploits: Synology NAS devices faced multiple attacks, with exploits such as command injection, improper neutralization of argument delimiters, and out-of-bounds writes. Such vulnerabilities could compromise data security and device integrity for Synology users.
- TrueNAS Exploits: Although less frequently targeted, TrueNAS devices were also exploited. Successful SOHO SMASHUPs involving TrueNAS demonstrate that attackers regard these devices as valuable entry points within home networks.
Impact on Home NAS Users
The successful exploitation of these vulnerabilities could lead to serious consequences:
- Data Breaches: Attackers could steal sensitive information, including personal documents, financial data, and family photos stored on the NAS.
- Malware Infections: A compromised NAS can spread malware to other devices on the same network.
- Ransomware Attacks: Attackers could encrypt NAS data, demanding ransom payments to unlock it.
- Data Loss: Attackers may delete or corrupt data, resulting in permanent loss if no backup is available.
- Device Takeover: A compromised NAS could serve as a launching point for attacks on other connected devices or networks.
Mitigation Strategies for Home Users
To reduce risks associated with NAS-targeted attacks, home users should consider the following practices:
- Update Regularly: Ensure NAS operating systems and firmware are updated consistently to apply the latest security patches.
- Enable Strong Authentication: Use strong, unique passwords and enable two-factor authentication (2FA) where available.
- Restrict Network Access: Limit NAS access to trusted devices and networks only, utilizing the NAS firewall to control access.
- Disable Unnecessary Services: Turn off any services or applications on the NAS that are not actively used to minimize attack surfaces.
- Back Up Data Regularly: Store backups in a separate, secure location, such as an external hard drive or a cloud service, to safeguard against data loss or ransomware attacks.
By following these steps, home users can greatly reduce their vulnerability to NAS-targeted attacks, protecting both their devices and data from potential exploitation.
Closing Thoughts on Pwn2Own Ireland 2024
The Pwn2Own Ireland 2024 competition in Dublin was a remarkable showcase of the evolving cybersecurity landscape, particularly concerning devices commonly found in home and small office setups. Organized by the Zero Day Initiative, this event brought together top security researchers to uncover and exploit zero-day vulnerabilities in NAS systems, surveillance cameras, routers, printers, smart speakers, mobile phones, and home automation hubs. The competition awarded over $1 million, reflecting the critical importance of identifying and addressing these vulnerabilities.
The event highlighted several key takeaways:
- Rising Vulnerability in Everyday Devices: With the rapid adoption of network-connected devices, even everyday home equipment can present serious security risks if not properly safeguarded. The prevalence of successful attacks on NAS devices, smart hubs, and routers underscores the need for a vigilant approach to home network security.
- Complex Attacks Like SOHO SMASHUPs: The SOHO SMASHUP category, where attackers combined vulnerabilities across multiple devices, demonstrated how interconnected environments can be exploited for maximum impact. These attacks emphasize the importance of holistic security measures that consider network-wide configurations.
- Variety of Exploits Used: From command injections to heap-based buffer overflows, the variety of exploited vulnerabilities illustrated the broad attack surface these devices present. This diversity highlights the need for device manufacturers to implement rigorous security practices throughout the development process.
- Timely Updates and User Awareness: The success of these exploits also reflects the necessity for regular software updates and security patches. For home users, adopting strong authentication measures, restricting network access, and routinely backing up data are essential steps to mitigate potential risks.
Ultimately, the insights gained from Pwn2Own Ireland 2024 provide invaluable information for device manufacturers, security professionals, and everyday users. Events like these encourage continuous improvements in device security, reinforcing the importance of staying one step ahead in the face of an ever-evolving cybersecurity landscape. As Viettel Cyber Security earned the โMaster of Pwnโ title for their consistent success, this event serves as a call to action for everyone involved in the digital ecosystem to prioritize security, ensuring that connected devices remain safe and resilient against threats.
Where to Buy a Product | |||
VISIT RETAILER โคย | |||
VISIT RETAILER โค | |||
VISIT RETAILER โคย | |||
VISIT RETAILER โคย | |||
VISIT RETAILER โคย |
We use affiliate links on the blog allowing NAScompares information and advice service to be free of charge to you. Anything you purchase on the day you click on our links will generate a small commission which is used to run the website. Here is a link for Amazon and B&H. You can also get me a โ Ko-fi or old school Paypal. Thanks! To find out more about how to support this advice service check HERE If you need to fix or configure a NAS, check Fiver Have you thought about helping others with your knowledge? Find Instructions Here
(Early Access) Minisforum MGA1 7600M XT eGPU Docking Station Review
(Early Access) The Best M.2 SSD NAS To Buy Right Now
(Early Access) My Favourite NAS Releases of 2024
(Inner Circle) Recommended ATX NAS Motherboard Guide - 6 GREAT NAS MOBOs!
(Early Access) Flashstor Gen 2 NAS - SHOULD YOU BUY? (Short Review)
(Early Access) The DREAM Video Editor NAS - Flashstor Gen 2 Review (FS6806X)
Access content via Patreon or KO-FI
DISCUSS with others your opinion about this subject.
ASK questions to NAS community
SHARE more details what you have found on this subject
CONTRIBUTE with your own article or review. Click HERE
IMPROVE this niche ecosystem, let us know what to change/fix on this site
EARN KO-FI Share your knowledge with others and get paid for it! Click HERE