WEBVTT 00:00:00.859 --> 00:00:02.220 JACK: Alright, pop quiz. 00:00:02.220 --> 00:00:05.620 Who is the best hacker in the world? 00:00:05.620 --> 00:00:08.290 Well, I think I’ve found him. 00:00:08.290 --> 00:00:14.000 Oh, it’s two guys, actually; Pedro and Radek. 00:00:14.000 --> 00:00:19.240 They won the 2020 Masters of Pwn Award which for now means they’re the best. 00:00:19.240 --> 00:00:20.240 PEDRO: Oh, wow. 00:00:20.240 --> 00:00:25.609 As much – we really appreciate that and as much as we would like to think we are, 00:00:25.609 --> 00:00:27.080 that would be unfair, you know? 00:00:27.080 --> 00:00:32.369 It’s quite a nice title to have and we’re quite happy with it. 00:00:32.369 --> 00:00:38.879 But the fact is there’s a lot of good hackers that stay in the shadows and I know for a 00:00:38.879 --> 00:00:40.660 fact a lot of them are better than us. 00:00:40.660 --> 00:00:45.610 JACK: See, here’s the thing; Master of Pwn is the title given to the winner of the Pwn2Own 00:00:45.610 --> 00:00:46.610 hacker competition. 00:00:46.610 --> 00:00:50.250 We’ll get into what all that means later but this is a very prestigious event with 00:00:50.250 --> 00:00:52.940 hundreds of thousands of dollars in prize money at stake. 00:00:52.940 --> 00:00:56.719 In fact, I think it’s the highest-paying hacker contest out there. 00:00:56.719 --> 00:01:00.460 When you have a well-known hacker contest with high-paying rewards and the rules are 00:01:00.460 --> 00:01:05.760 fair and transparent and it’s open for anyone in the world to compete in, then yeah, I think 00:01:05.760 --> 00:01:09.990 whoever wins it can possibly say they’re the best hackers in the world. 00:01:09.990 --> 00:01:14.619 I mean, how else can you prove that except through a fair and open competition, right? 00:01:14.619 --> 00:01:21.230 RADEK: Yeah, it’s very good to be crowned the Master of Pwn and of course, anybody can 00:01:21.230 --> 00:01:22.310 challenge that. 00:01:22.310 --> 00:01:27.340 But as Pedro said, there are a lot of people that stay in the shadow or they use different 00:01:27.340 --> 00:01:34.240 competitions or, you know, formats to compete with the rest of the world. 00:01:34.240 --> 00:01:42.259 (INTRO): [INTRO MUSIC] These are true stories from the dark side of the internet. 00:01:42.259 --> 00:01:47.500 I’m Jack Rhysider. 00:01:47.500 --> 00:01:50.619 This is Darknet Diaries. 00:01:50.619 --> 00:01:56.579 [INTRO MUSIC ENDS] 00:01:56.579 --> 00:02:07.560 JACK: Okay, today we’re talking with two guys from ZDI which stands for the Zero Day 00:02:07.560 --> 00:02:08.560 Initiative. 00:02:08.560 --> 00:02:09.560 DUSTIN: My name is Dustin Childs. 00:02:09.560 --> 00:02:11.860 I’m the Senior Communications Manager for the Zero Day Initiative. 00:02:11.860 --> 00:02:13.270 BRIAN: My name is Brian Gorenc. 00:02:13.270 --> 00:02:16.550 I’m the Senior Director of Vulnerability Research here at Trend Micro. 00:02:16.550 --> 00:02:20.280 I run the Zero Day Initiative along with a couple other things here at Trend all focusing 00:02:20.280 --> 00:02:22.090 on exploitation and vulnerability discovery. 00:02:22.090 --> 00:02:25.220 JACK: Alright, so you’re both part of Zero Day Initiative. 00:02:25.220 --> 00:02:26.980 What is the Zero Day Initiative? 00:02:26.980 --> 00:02:30.849 DUSTIN: ZDI is the world’s largest vendor agnostic bug-bounty program. 00:02:30.849 --> 00:02:35.860 That means we buy bugs in products from various vendors across the spectrum of IT. 00:02:35.860 --> 00:02:37.610 JACK: Hm, well, that’s interesting. 00:02:37.610 --> 00:02:38.830 These guys are bug-buyers. 00:02:38.830 --> 00:02:42.490 Specifically, they buy zero-day vulnerabilities. 00:02:42.490 --> 00:02:46.489 Zero-day vulnerabilities are bugs that the software developer or vendor doesn’t know 00:02:46.489 --> 00:02:48.690 exist or has not fixed. 00:02:48.690 --> 00:02:53.770 This vulnerability can be exploited on the latest and greatest software updates. 00:02:53.770 --> 00:02:59.730 If someone can demonstrate they can exploit fully-updated software, the ZDI team will 00:02:59.730 --> 00:03:01.459 buy that exploit from them. 00:03:01.459 --> 00:03:07.090 DUSTIN: We buy Microsoft, we buy Apple, we buy Google, we buy Cisco, we buy IBM. 00:03:07.090 --> 00:03:08.680 We buy a bunch of different bugs. 00:03:08.680 --> 00:03:14.060 JACK: Now, the thing is, ZDI is ran by Trend Micro which is a cyber-security company that 00:03:14.060 --> 00:03:18.450 makes different products like the TippingPoint Intrusion Detection System. 00:03:18.450 --> 00:03:22.799 Now, an intrusion detection system examines the network traffic and looks for someone 00:03:22.799 --> 00:03:25.130 trying to exploit something. 00:03:25.130 --> 00:03:28.709 It alerts and triggers and tells the admin check this out; there might be something wrong 00:03:28.709 --> 00:03:29.709 here. 00:03:29.709 --> 00:03:36.230 ZDI was created in order to enrich the vulnerabilities that their intrusion detection system can 00:03:36.230 --> 00:03:37.230 detect. 00:03:37.230 --> 00:03:41.240 They thought by buying bugs, it would make their product better. 00:03:41.240 --> 00:03:45.400 But at the same time, when they’re buying a bug, they also tell the vendor that there’s 00:03:45.400 --> 00:03:49.450 a serious vulnerability in their product and this needs to be fixed now. 00:03:49.450 --> 00:03:53.769 While a lot of software vendors have their own bug-bounty program which pays people to 00:03:53.769 --> 00:03:58.400 report bugs to them, they don’t give ZDI any money for the bugs that ZDI reports. 00:03:58.400 --> 00:04:00.690 DUSTIN: I wish it worked that way. 00:04:00.690 --> 00:04:02.349 It would save our budget a lot. 00:04:02.349 --> 00:04:08.430 Now, we buy the bugs – let’s take Microsoft Edge bug just as an example, hypothetically. 00:04:08.430 --> 00:04:14.829 We buy a bug at Microsoft Edge and then what we do is we create a filter for our products 00:04:14.829 --> 00:04:20.630 and then push that out to Trend Micro products ahead of Microsoft releasing a patch for Edge. 00:04:20.630 --> 00:04:25.830 JACK: Yeah, so, I guess my question is why doesn’t – so, you said Edge is an example; 00:04:25.830 --> 00:04:29.820 why wouldn’t Microsoft pay for this bug or why don’t they pay more for it? 00:04:29.820 --> 00:04:34.030 DUSTIN: Microsoft would pay for it and they probably would pay more, but their advantage 00:04:34.030 --> 00:04:35.960 is with going to ZDI. 00:04:35.960 --> 00:04:38.650 Certain researchers don’t want to be known to the vendors. 00:04:38.650 --> 00:04:41.540 Certain researchers don’t want to deal with the disclosure. 00:04:41.540 --> 00:04:44.860 We’ve had a lot of interesting disclosures over the years. 00:04:44.860 --> 00:04:50.120 We also have kind of a frequent flyer program so the more you report to us, the higher levels 00:04:50.120 --> 00:04:51.199 of bonuses you can get. 00:04:51.199 --> 00:04:53.540 We’re kind of a known entity. 00:04:53.540 --> 00:04:58.639 With some vendors, researchers have had the experience where they report bugs and then 00:04:58.639 --> 00:05:00.180 they just kinda get blown off. 00:05:00.180 --> 00:05:02.250 [00:05:00] The vendors know who ZDI is. 00:05:02.250 --> 00:05:06.843 We’ve been around long enough, so researchers know that if they report it to us, their bug’s 00:05:06.843 --> 00:05:07.843 not gonna get just ignored. 00:05:07.843 --> 00:05:08.870 JACK: Mm-hm. 00:05:08.870 --> 00:05:12.800 I’ve talked with a few researchers who have found it frustrating when they tell a company 00:05:12.800 --> 00:05:16.360 about a bug they found, but that company just ignores them. 00:05:16.360 --> 00:05:20.500 So, security researchers don’t always want to go through the hassle of having to convince 00:05:20.500 --> 00:05:24.770 a company that there’s this bug and you need to fix it and here’s how. 00:05:24.770 --> 00:05:29.560 Instead, they just submit it to ZDI and then ZDI does all the legwork to try to get the 00:05:29.560 --> 00:05:35.490 vendor to fix it, because here’s the thing; ZDI puts pressure on the vendor to make them 00:05:35.490 --> 00:05:36.600 move quick. 00:05:36.600 --> 00:05:42.449 DUSTIN: [MUSIC] Yes, we have a 120-day disclosure timeline right now for vendors so from the 00:05:42.449 --> 00:05:48.320 time we report it to you, to any particular vendor, they have 120 days to work with us 00:05:48.320 --> 00:05:53.300 to get a public solution available whether it’s a patch or an advisory, some sort of 00:05:53.300 --> 00:05:55.090 fix out to the public. 00:05:55.090 --> 00:05:58.680 Then if it exceeds that timeline, then we do disclose a certain amount of information 00:05:58.680 --> 00:06:01.770 so the people can take other matters to protect their resources. 00:06:01.770 --> 00:06:03.889 JACK: Mm-hm. See? 00:06:03.889 --> 00:06:05.650 ZDI has a heavy hand here. 00:06:05.650 --> 00:06:09.950 When they give a bug to a vendor, a timer starts, and if the vendor doesn’t fix this 00:06:09.950 --> 00:06:16.410 problem in 120 days, then ZDI will publicly tell the world about this bug. 00:06:16.410 --> 00:06:22.209 This has given ZDI quite a reputation because if you’re a vendor and ZDI calls you up, 00:06:22.209 --> 00:06:26.580 you better listen and get things fixed quick or else your customers are going to be victim 00:06:26.580 --> 00:06:28.950 to many attacks. 00:06:28.950 --> 00:06:30.580 This has happened. 00:06:30.580 --> 00:06:35.470 Vendors have ignored ZDI and the timer sometimes expires. 00:06:35.470 --> 00:06:39.800 DUSTIN: Sometimes the vendor disagrees with the severity of the bug. 00:06:39.800 --> 00:06:45.930 We had a bug in the Foxit PDF Reader and it only hit when the protected mode was disabled. 00:06:45.930 --> 00:06:49.110 They said because of that, we’re not gonna fix it. 00:06:49.110 --> 00:06:53.710 We said we disagree with that and we think it should be fixed, so we’re gonna go public 00:06:53.710 --> 00:06:54.710 with it. 00:06:54.710 --> 00:06:55.710 We went public with it. 00:06:55.710 --> 00:07:00.120 They published a blog – we published a blog and later that afternoon they came back and 00:07:00.120 --> 00:07:01.120 said you know what? 00:07:01.120 --> 00:07:02.120 We changed our mind. 00:07:02.120 --> 00:07:03.120 We are gonna fix it. 00:07:03.120 --> 00:07:04.979 A week later, a patch was available. 00:07:04.979 --> 00:07:08.840 Clearly, if it only took them a week to make the patch, it wasn’t a technical issue. 00:07:08.840 --> 00:07:14.240 It was just a ‘we don’t want to patch this for philosophical reasons.’ 00:07:14.240 --> 00:07:16.669 By going public with it, that changed their mind. 00:07:16.669 --> 00:07:22.480 JACK: ZDI was doing this bug-buying stuff for a few years but then came CanSecWest. 00:07:22.480 --> 00:07:26.750 [MUSIC] CanSecWest is a security conference in Vancouver, Canada. 00:07:26.750 --> 00:07:33.270 DUSTIN: A conference organizer had a MacBook; MacBooks had a reputation in the public as 00:07:33.270 --> 00:07:34.940 being essentially hack-proof. 00:07:34.940 --> 00:07:37.990 Everyone in the community knew that wasn’t true, though. 00:07:37.990 --> 00:07:41.750 He wanted to kinda demonstrate that so at the conference he said okay, I’m gonna put 00:07:41.750 --> 00:07:43.090 this MacBook on this network. 00:07:43.090 --> 00:07:45.090 If you pwn it, you can own it. 00:07:45.090 --> 00:07:46.879 Hey ZDI, would you buy the bug? 00:07:46.879 --> 00:07:49.060 We said yes, we’ll pay $10,000 for the bug. 00:07:49.060 --> 00:07:51.620 JACK: An impromptu contest was launched. 00:07:51.620 --> 00:07:57.480 If someone at CanSecWest had a working exploit for a fully-updated MacBook Air, they could 00:07:57.480 --> 00:07:58.660 try attacking it. 00:07:58.660 --> 00:08:04.120 The challenge was to get into it without the user having to do anything like click a link 00:08:04.120 --> 00:08:06.129 or a pop-up or anything. 00:08:06.129 --> 00:08:11.629 Simply having the MacBook on the same network as an attacker was all that was needed because 00:08:11.629 --> 00:08:16.400 if someone can take a computer over like this, this means they’ve pwned the computer. 00:08:16.400 --> 00:08:21.210 The rules are that if you pwn it, you can own it, which is different than owning it 00:08:21.210 --> 00:08:23.050 in a hacking sense. 00:08:23.050 --> 00:08:25.720 If you attack something and you get into it, you pretty much own that system. 00:08:25.720 --> 00:08:30.110 But in this case, you’re actually given the MacBook Air and say here, you got into 00:08:30.110 --> 00:08:32.110 it. You can own it now. 00:08:32.110 --> 00:08:33.110 It’s yours. 00:08:33.110 --> 00:08:38.090 But then on top of that, ZDI was also offering a $10,000 reward if you can do it, too. 00:08:38.090 --> 00:08:41.800 That’s a pretty nice reward which means hackers were spending time trying to hack 00:08:41.800 --> 00:08:47.620 into this MacBook Air during the conference which lasted three days. 00:08:47.620 --> 00:08:49.089 Did somebody pwn it? 00:08:49.089 --> 00:08:51.940 DUSTIN: Dino Dai Zovi; yes, he did. 00:08:51.940 --> 00:08:59.250 That was before my time but I believe he used a bug in QuickTime to take over the system. 00:08:59.250 --> 00:09:03.440 JACK: This was such an exciting event for ZDI that they decided to keep this contest 00:09:03.440 --> 00:09:04.440 going. 00:09:04.440 --> 00:09:10.070 [MUSIC] Since 2007, the Pwn2Own contest has been going on every year at CanSecWest. 00:09:10.070 --> 00:09:13.820 DUSTIN: Yes, from that point it became an annual thing and it grew. 00:09:13.820 --> 00:09:15.970 Initially, it started primarily with browsers. 00:09:15.970 --> 00:09:21.329 JACK: The Pwn2Own contest for the next few years was just for web browsers; Chrome, Firefox, 00:09:21.329 --> 00:09:22.329 IE, Safari. 00:09:22.329 --> 00:09:27.029 They announced the contest rules; the browsers will be fully updated on the latest patches 00:09:27.029 --> 00:09:30.840 and the contestant will need to exploit a bug in the browser and try to take over the 00:09:30.840 --> 00:09:31.840 computer. 00:09:31.840 --> 00:09:35.420 The only interaction the user has to do is browse to the attacker’s website. 00:09:35.420 --> 00:09:38.120 DUSTIN: I would say, just browse to the website. 00:09:38.120 --> 00:09:39.459 No user interaction after that. 00:09:39.459 --> 00:09:43.250 BRIAN: Yeah, we actually have rules in the contest that require the exploit work without 00:09:43.250 --> 00:09:45.860 any user interaction, so all the… 00:09:45.860 --> 00:09:47.590 JACK: Other than going to the website. 00:09:47.590 --> 00:09:49.750 BRIAN: Other than going to the website. 00:09:49.750 --> 00:09:54.350 Then once you hit the website, the machine is compromised and the attacker’s shell 00:09:54.350 --> 00:09:55.610 code is executing. 00:09:55.610 --> 00:09:59.720 JACK: Okay, that gives me chills just thinking about it ‘cause I always assumed if I [00:10:00] 00:09:59.720 --> 00:10:04.940 just go and – as long as I don’t click ‘are you sure you want to run this thing’, 00:10:04.940 --> 00:10:08.149 it’s very bad or something or there’s a little padlock in the top. 00:10:08.149 --> 00:10:12.260 There’s all these little things I look for when I’m going to shady-looking websites. 00:10:12.260 --> 00:10:17.070 But now you’re telling me it’s possible that even if all that, I could still be pwned. 00:10:17.070 --> 00:10:19.040 DUSTIN: That’s correct. 00:10:19.040 --> 00:10:20.360 BRIAN: 100%. 00:10:20.360 --> 00:10:25.110 JACK: [MUSIC] There’s a few different combinations of potential attack scenarios here. 00:10:25.110 --> 00:10:29.370 It’s not just for browsers; there’s also three different operating systems, too. 00:10:29.370 --> 00:10:32.839 They would ask the contestants what browser and what operating system do you want us to 00:10:32.839 --> 00:10:34.680 visit your website with? 00:10:34.680 --> 00:10:39.519 You can pick macOS, Windows, or Linux, because writing an exploit for each of these is a 00:10:39.519 --> 00:10:40.860 little different. 00:10:40.860 --> 00:10:46.610 Next year in 2008, Charlie Miller wrote an exploit for Safari on macOS. 00:10:46.610 --> 00:10:50.970 When the contest organizers went to Charlie’s website, Charlie exploited that computer and 00:10:50.970 --> 00:10:52.910 completely took it over. 00:10:52.910 --> 00:10:56.570 From then on, the contest grew bigger and bigger and bigger. 00:10:56.570 --> 00:11:01.579 In 2014, a security research team known as Vupen came to compete at Pwn2Own. 00:11:01.579 --> 00:11:06.620 BRIAN: Yeah, the Vupen Chromoscope is actually quite interesting, that – what happened 00:11:06.620 --> 00:11:08.110 in 2014. 00:11:08.110 --> 00:11:12.910 It’s I think still to this day one of my favorite exploit chains that we received from 00:11:12.910 --> 00:11:13.970 Vupen. 00:11:13.970 --> 00:11:19.700 Vupen was – at the contest was targeting Google Chrome. 00:11:19.700 --> 00:11:22.320 Obviously at the time, it’s still to this day is considered one of the most – hardest 00:11:22.320 --> 00:11:25.360 browsers to actually compromise. 00:11:25.360 --> 00:11:30.819 What they ended up doing is they had their server, we have the attack laptop and the 00:11:30.819 --> 00:11:37.420 – one of the ZDI team members surfs to their controlled web page. 00:11:37.420 --> 00:11:38.970 It basically says Waiting. 00:11:38.970 --> 00:11:43.709 What’s happening underneath the covers is actually they’re exploiting a use-after-free 00:11:43.709 --> 00:11:46.700 in Google’s renderer process. 00:11:46.700 --> 00:11:48.500 JACK: Use-after-free is a classic exploit. 00:11:48.500 --> 00:11:54.330 A browser has an object in the computer memory in order for it to work, but what an attacker 00:11:54.330 --> 00:11:59.230 might do is delete that object from memory somehow but not tell the browser that the 00:11:59.230 --> 00:12:00.900 object was deleted. 00:12:00.900 --> 00:12:05.420 The browser still thinks something is there but the attacker will put something else in 00:12:05.420 --> 00:12:09.700 that spot of the memory, so when the browser goes to run the program that’s in that piece 00:12:09.700 --> 00:12:15.220 of memory, it’s running the attacker’s code instead which can be something malicious. 00:12:15.220 --> 00:12:19.410 BRIAN: Once they’ve actually successfully exploited the use-after-free, they move on 00:12:19.410 --> 00:12:21.360 to try to escape the sandbox. 00:12:21.360 --> 00:12:24.649 JACK: Getting out of the sandbox is the next big hurdle. 00:12:24.649 --> 00:12:27.940 Most modern browsers today render websites in a sandbox. 00:12:27.940 --> 00:12:31.080 If you think about it, when you’re browsing the internet, you’re loading all kinds of 00:12:31.080 --> 00:12:35.990 content from people you don’t trust; images, sound files, JavaScript. 00:12:35.990 --> 00:12:40.519 It’s all being downloaded and opened on your computer. 00:12:40.519 --> 00:12:44.720 Browsers place all that in a sandbox which is a place where all this can be opened but 00:12:44.720 --> 00:12:49.180 nothing in the sandbox should ever be able to interact with anything else in the computer. 00:12:49.180 --> 00:12:54.580 A sandbox is a safe place to load untrusted content without the fear of it spreading to 00:12:54.580 --> 00:12:58.329 the rest of the computer or even to other tabs within the browser. 00:12:58.329 --> 00:13:02.290 Sandboxes have a very strict amount of privileges and something they don’t allow for is someone 00:13:02.290 --> 00:13:07.110 to fully take over a computer, so this is why attackers need to learn how to escape 00:13:07.110 --> 00:13:12.060 the sandbox to take over a computer which is what Vupen came to demonstrate live on 00:13:12.060 --> 00:13:13.440 stage during the contest. 00:13:13.440 --> 00:13:18.370 BRIAN: The way that they did this was they actually used an undocumented feature in Windows 00:13:18.370 --> 00:13:25.230 which allowed them to load a com control onto the clipboard of the operating system. 00:13:25.230 --> 00:13:30.260 What ended up happening is every time you would right click, the com control would get 00:13:30.260 --> 00:13:35.210 instantiated and execute attacker control code outside of the sandbox itself. 00:13:35.210 --> 00:13:42.570 It was this kinda slick way of escaping the Chrome sandbox using some of the undocumented 00:13:42.570 --> 00:13:43.730 features in the Windows operating system. 00:13:43.730 --> 00:13:46.690 JACK: Now, to me at least, this is exciting to watch. 00:13:46.690 --> 00:13:51.070 It’s not quite a spectator sport though, so it’s just about as good to hear about 00:13:51.070 --> 00:13:56.209 it later as it is to see it live, but it’s exciting in the sense that an unknown bug 00:13:56.209 --> 00:14:02.149 to a major browser is going to be exploited right here on stage, right now. 00:14:02.149 --> 00:14:04.630 BRIAN: It’s usually very exciting, right? 00:14:04.630 --> 00:14:08.389 You know what’s happening on the contestant side is, you know, they’ve put a lot of 00:14:08.389 --> 00:14:13.480 time and effort into first finding the vulnerability and finding the sandbox escape and then taking 00:14:13.480 --> 00:14:18.390 the time to write the exploit, make it reliable, make it so that there’s no user interaction. 00:14:18.390 --> 00:14:23.970 It comes to this point in the contest where it’s all on the line, right? 00:14:23.970 --> 00:14:26.990 You have five minutes to make the exploit work. 00:14:26.990 --> 00:14:32.269 There’s a lot of tension that occurs in the air and in the room when it comes to that 00:14:32.269 --> 00:14:36.260 point of actually surfing to the web page. 00:14:36.260 --> 00:14:40.639 For us and ZDI, we’re always very much – we want the contestant to win, right? 00:14:40.639 --> 00:14:41.820 We want to pay the bounty. 00:14:41.820 --> 00:14:43.570 We want to be involved in the disclosure process. 00:14:43.570 --> 00:14:48.320 We want to see them be successful because ultimately what’s gonna happen is the vendor’s 00:14:48.320 --> 00:14:52.430 gonna release the patch that’s gonna remove this exploit from being used in the wild. 00:14:52.430 --> 00:14:57.320 We’re also very excited when the actual exploit works because we look at exploits 00:14:57.320 --> 00:14:58.330 as kind of art, right? 00:14:58.330 --> 00:15:03.450 There’s always [00:15:00] unique things that they’re doing to make the exploit work 00:15:03.450 --> 00:15:10.470 by using different exploit techniques, unique bugs, things that have never been seen before. 00:15:10.470 --> 00:15:15.029 When the exploit is successful, it gives us an opportunity to go take a look at that exploit 00:15:15.029 --> 00:15:19.029 chain, understand how they put it together, look at the vulnerabilities that they were 00:15:19.029 --> 00:15:22.389 using and see if there’s any interesting new techniques that we can kind of provide 00:15:22.389 --> 00:15:26.339 protections for but also recognize all of the efforts that they – that the contestant 00:15:26.339 --> 00:15:28.300 has put into actually developing that exploit. 00:15:28.300 --> 00:15:33.579 JACK: The Vupen team sat down, got their malicious web server ready, then told ZDI to browse 00:15:33.579 --> 00:15:34.970 to their web server. 00:15:34.970 --> 00:15:40.880 After ZDI went to the website, a few moments later, the calculator app launched on ZDI’s 00:15:40.880 --> 00:15:45.459 computer which proves that the Vupen team was able to get into that computer and launch 00:15:45.459 --> 00:15:46.660 whatever program they wanted. 00:15:46.660 --> 00:15:51.000 BRIAN: I remember when we were sitting in the disclosure room at the contest going through 00:15:51.000 --> 00:15:55.579 the exploit with Microsoft and Google at the time, they were all kind of – we were all 00:15:55.579 --> 00:16:00.180 kind of sitting there surprised at how efficient this was and the fact that they were leveraging 00:16:00.180 --> 00:16:04.459 something that was undocumented in an operating system that would allow them to execute code 00:16:04.459 --> 00:16:08.550 and escape the sandbox which at the time was something that was – still was relatively 00:16:08.550 --> 00:16:10.949 rare to see. 00:16:10.949 --> 00:16:17.069 But it was fun to – you just sort of go to a website, the browser doesn’t crash, 00:16:17.069 --> 00:16:20.210 and then you minimize the browser and start right-clicking on the desktop and calculators 00:16:20.210 --> 00:16:25.760 start popping up on the screen, demonstrating that they did have complete control of the 00:16:25.760 --> 00:16:29.310 computer at that point. 00:16:29.310 --> 00:16:36.779 JACK: [MUSIC] Demonstrating this vulnerability and having it work earned Vupen $100,000 in 00:16:36.779 --> 00:16:38.200 prize money. 00:16:38.200 --> 00:16:43.080 Over the course of time, Vupen has gone to Pwn2Own and taken prize money home many times. 00:16:43.080 --> 00:16:48.050 See, Vupen was this team of security researchers who were in the business of finding vulnerabilities 00:16:48.050 --> 00:16:50.910 and selling them to law enforcement. 00:16:50.910 --> 00:16:56.769 This was actually their whole business which brings me to the question; is $100,000 a lot 00:16:56.769 --> 00:16:58.620 for a bug like this? 00:16:58.620 --> 00:17:00.700 Well, it seems like it is. 00:17:00.700 --> 00:17:01.889 It’s a lot for ZDI. 00:17:01.889 --> 00:17:02.889 That’s for sure. 00:17:02.889 --> 00:17:06.660 But let’s talk about some options, what else you could do with a zero-day bug like 00:17:06.660 --> 00:17:07.660 this. 00:17:07.660 --> 00:17:11.630 If the vendor had a bug bounty program, you could submit to them and some vendors pay 00:17:11.630 --> 00:17:15.189 pretty well, but do they pay $100,000 for a bug? 00:17:15.189 --> 00:17:20.740 Well, Google’s maximum payout for a bug is currently set to $30,000. 00:17:20.740 --> 00:17:25.949 But a security researcher in 2009 was able to demonstrate that he could take over a Pixel 00:17:25.949 --> 00:17:32.049 3 phone with just one click, and Google paid him $200,000 for that one. 00:17:32.049 --> 00:17:36.179 But the reason that was so high is because the researcher was able to chain a few different 00:17:36.179 --> 00:17:41.600 exploits together to get this working, so they actually used multiple bugs to do that. 00:17:41.600 --> 00:17:45.390 Sometimes vendors will pay double when they want researchers to focus on a particular 00:17:45.390 --> 00:17:46.390 product. 00:17:46.390 --> 00:17:50.470 It’s sometimes hard to get vendors to look at bugs that you give them and get them to 00:17:50.470 --> 00:17:51.590 pay out. 00:17:51.590 --> 00:17:56.420 Obviously taking full control over a computer using an unknown bug will be one of the higher-paying 00:17:56.420 --> 00:18:01.120 bugs, but then there’s a few other markets for places you can go to tell zero-day exploits. 00:18:01.120 --> 00:18:05.520 The dark web is one place, but it’s shady and shifty. 00:18:05.520 --> 00:18:10.870 Is someone really gonna roll up and pay $100,000 for a vulnerability on a darknet marketplace? 00:18:10.870 --> 00:18:14.020 How do you know it’s an actual zero-day vulnerability? 00:18:14.020 --> 00:18:17.600 How do you know that you’ll get working code and you’re gonna be taught how to use 00:18:17.600 --> 00:18:18.600 it properly? 00:18:18.600 --> 00:18:20.720 Or how do you know where it even came from? 00:18:20.720 --> 00:18:25.159 Maybe the seller will sell it to you and then sell it to your adversary the next day. 00:18:25.159 --> 00:18:31.750 Think about who’s buying and selling zero-day bugs on the dark web; probably criminals, 00:18:31.750 --> 00:18:32.750 right? 00:18:32.750 --> 00:18:34.630 People with ill-intent at least. 00:18:34.630 --> 00:18:40.190 The market for this on the dark web is starting to dry up and so, there’s law enforcement. 00:18:40.190 --> 00:18:44.150 Places like the NSA and FBI sometimes use zero-day bugs to get into things. 00:18:44.150 --> 00:18:47.580 The classic example is the San Bernardino iPhone story. 00:18:47.580 --> 00:18:52.500 This was an iPhone recovered from one of the terrorists who did an attack in 2015. 00:18:52.500 --> 00:18:57.720 The iPhone was password-protected and the FBI wanted Apple to unlock it but Apple refused, 00:18:57.720 --> 00:19:00.770 mostly saying they don’t have the ability to do that and they’ve designed the phone 00:19:00.770 --> 00:19:04.260 in such a way that it’s impossible even for Apple to unlock it. 00:19:04.260 --> 00:19:08.580 The court wasn’t able to force Apple to do it, so the FBI had to go to Plan B which 00:19:08.580 --> 00:19:10.450 was to hack into it. 00:19:10.450 --> 00:19:15.220 We don’t know the specifics but the story goes that the FBI bought a zero-day bug for 00:19:15.220 --> 00:19:18.400 a million dollars to get into that iPhone. 00:19:18.400 --> 00:19:24.320 An exploit to get into a locked iPhone goes for a million dollars on the gray market. 00:19:24.320 --> 00:19:27.690 There are mercenaries too, hacking groups who work for the highest bidder to hack into 00:19:27.690 --> 00:19:28.690 a target. 00:19:28.690 --> 00:19:30.120 An example here is Project Raven. 00:19:30.120 --> 00:19:33.390 In fact, in Episode 47, I talk about Project Raven. 00:19:33.390 --> 00:19:38.260 This was basically a hacking group who was contracted by the UAE to hack into its adversaries. 00:19:38.260 --> 00:19:41.400 One of the hacking tools they used is called Karma. 00:19:41.400 --> 00:19:46.380 This allowed Project Raven operatives to access information on a target’s iPhone without 00:19:46.380 --> 00:19:49.320 the target having to click or do anything. 00:19:49.320 --> 00:19:52.049 Simply by sending a message to that iPhone was all it took. 00:19:52.049 --> 00:19:57.710 But we believe Karma was an exploit that was purchased outside of the UAE. 00:19:57.710 --> 00:20:01.020 We don’t know how much they paid for it, but [00:20:00] it sure is probably worth a 00:20:01.020 --> 00:20:05.990 million dollars since Project Raven was able to use it for years on dozens of targets without 00:20:05.990 --> 00:20:07.659 it being patched. 00:20:07.659 --> 00:20:12.390 Any time the UAE government wanted to spy on someone’s iPhone, they had a pretty easy 00:20:12.390 --> 00:20:14.190 and quick way to do it. 00:20:14.190 --> 00:20:20.620 See, the thing is, we’re in the era of cyber-arms industry where buying and selling zero-day 00:20:20.620 --> 00:20:25.820 exploits is fairly common among nations and mercenaries, because having that slight edge 00:20:25.820 --> 00:20:30.309 on an adversary can really go a long way for a nation’s intelligence-gathering. 00:20:30.309 --> 00:20:37.710 DUSTIN: Yes, there is the exploit broker market and the black market that can pay a lot more. 00:20:37.710 --> 00:20:42.429 There’s different concerns that researchers have reporting it that way. 00:20:42.429 --> 00:20:48.270 One thing is you go to Pwn2Own and there’s press coverage and there’s adoration and 00:20:48.270 --> 00:20:52.840 there’s Pwnie Awards that a lot of Pwn2Own stuff gets submitted for, so you kinda make 00:20:52.840 --> 00:20:55.460 your name a little bit more well-known. 00:20:55.460 --> 00:21:00.610 If you sell to an exploit broker, your name will never be associated with your research 00:21:00.610 --> 00:21:06.770 and your research could be used by an oppressive regime to monitor people or something. 00:21:06.770 --> 00:21:09.390 Some people have ethical problems with that. 00:21:09.390 --> 00:21:12.770 Some people just see two commas in a dollar figure and say that’ll sort itself out. 00:21:12.770 --> 00:21:15.100 It’s one thing that we do compete against. 00:21:15.100 --> 00:21:19.950 JACK: Vupen has demonstrated eleven zero-day vulnerabilities at Pwn2Own over the course 00:21:19.950 --> 00:21:26.480 of a few years, but that team has now morphed into what’s called Zerodium which they still 00:21:26.480 --> 00:21:30.240 work to acquire zero-day exploits and report on them. 00:21:30.240 --> 00:21:34.330 Zerodium has their own researchers trying to develop zero-day exploits, but also spends 00:21:34.330 --> 00:21:38.140 a significant amount to buy exploits. 00:21:38.140 --> 00:21:42.770 That just makes me wonder why Vupen decided to publicly share these with ZDI. 00:21:42.770 --> 00:21:47.780 Maybe to become known as the people who have lots of zero-day bugs, so many that they’re 00:21:47.780 --> 00:21:49.350 willing to share them with ZDI. 00:21:49.350 --> 00:21:54.270 I’d like to interview these guys one day but in my experience, zero-day brokers just 00:21:54.270 --> 00:21:59.100 don’t like talking publicly. 00:21:59.100 --> 00:22:08.520 [MUSIC] I’m reading this article on forbes.com. 00:22:08.520 --> 00:22:11.860 The article is titled 30 Under 30 Asia. 00:22:11.860 --> 00:22:15.809 They pick thirty people under thirty years old that are noteworthy and making a name 00:22:15.809 --> 00:22:17.179 for themselves. 00:22:17.179 --> 00:22:19.850 One person on this list is named Junghoon Lee. 00:22:19.850 --> 00:22:22.270 Let me read what Forbes wrote about him. 00:22:22.270 --> 00:22:27.549 “Lee, better known as his online alias Lokihardt is said to be able to hack into any computer, 00:22:27.549 --> 00:22:32.820 smart phone, program, or browser from Apple iPhone to Microsoft Edge, Google Chrome, or 00:22:32.820 --> 00:22:33.820 Safari.” 00:22:33.820 --> 00:22:37.030 Who’s this guy, Korean Junghoon Lee? 00:22:37.030 --> 00:22:38.030 What did he exploit? 00:22:38.030 --> 00:22:39.030 DUSTIN: He exploited everything. 00:22:39.030 --> 00:22:44.600 I think he exploited Chrome, he exploited IE, and he exploited Safari. 00:22:44.600 --> 00:22:46.580 JACK: Okay, let’s talk about that, then. 00:22:46.580 --> 00:22:49.159 BRIAN: Yeah, they say he goes by the handle of Lokihardt. 00:22:49.159 --> 00:22:53.710 If I remember correctly, he was actually – kind of worked in the game community, a game developer. 00:22:53.710 --> 00:22:57.980 He kind of had a unique way of looking at vulnerabilities that he would find in the 00:22:57.980 --> 00:22:58.980 browsers. 00:22:58.980 --> 00:23:01.960 Typically what he would find is race conditions. 00:23:01.960 --> 00:23:07.799 He’d find a place where code is raced in a very specific point and find a way to exploit 00:23:07.799 --> 00:23:10.200 that in a way that would allow him to get code execution. 00:23:10.200 --> 00:23:16.580 I remember about his attempts is that a lot of them were race conditions and kind of unique 00:23:16.580 --> 00:23:23.690 bugs that not – normal fuzzers and testing techniques wouldn’t find and that’s why 00:23:23.690 --> 00:23:28.010 I’ve really enjoyed his approach to looking for bugs. 00:23:28.010 --> 00:23:32.799 I think one of the most interesting ones I remember from him was he had a – I think 00:23:32.799 --> 00:23:39.330 it was an IE exploit where to escape the sandbox, he actually forced the browser to open up 00:23:39.330 --> 00:23:45.809 the on-screen keyboard and he was clicking on the keyboard with his exploit code to actually 00:23:45.809 --> 00:23:50.070 execute commands on the actual operating system itself. 00:23:50.070 --> 00:23:53.549 It was really – it was actually – that one was very visually fun to see because he 00:23:53.549 --> 00:23:58.000 would go to the attacker control web page, he would exploit the browser, and he brought 00:23:58.000 --> 00:24:02.070 up the virtual keyboard to actually start clicking on different keys on the keyboard. 00:24:02.070 --> 00:24:07.070 I think the attempt didn’t work at Pwn2Own because he had tested his exploit against 00:24:07.070 --> 00:24:10.490 I think the Korean version of the operating system and we were running against the English 00:24:10.490 --> 00:24:11.640 version of the operating system. 00:24:11.640 --> 00:24:14.559 So, the keyboard points were slightly off. 00:24:14.559 --> 00:24:19.270 As a result, he didn’t actually get code execution outside of the sandbox, but it was 00:24:19.270 --> 00:24:22.539 one of the more interesting exploits that we had seen at the actual contest. 00:24:22.539 --> 00:24:27.150 DUSTIN: I think his largest payout was $110,000. 00:24:27.150 --> 00:24:30.260 Over the three-day program, he won $225,000. 00:24:30.260 --> 00:24:32.760 JACK: Whoa, that’s crazy. 00:24:32.760 --> 00:24:37.390 That’s some young Korean guy; just showed up to Pwn2Own, demonstrated how he can take 00:24:37.390 --> 00:24:42.840 over computers running Chrome, Edge, and Safari and then walked out with a few hundred thousand 00:24:42.840 --> 00:24:43.840 dollars. 00:24:43.840 --> 00:24:44.840 Who are these guys? 00:24:44.840 --> 00:24:48.830 Well, Google was apparently really impressed with this work, so they offered him a job. 00:24:48.830 --> 00:24:53.100 So, Lokihardt took the job and moved to Sunnyvale and started working at Google, but I don’t 00:24:53.100 --> 00:24:55.250 think he works there anymore now. 00:24:55.250 --> 00:25:02.610 When this contest happens, I mean, since 2007 and 2017 at least, that’s ten years of – browsers 00:25:02.610 --> 00:25:04.110 are getting pwned every year. 00:25:04.110 --> 00:25:05.110 DUSTIN: Yes. 00:25:05.110 --> 00:25:08.690 JACK: What do the browser companies think of this event? 00:25:08.690 --> 00:25:13.580 DUSTIN: [00:25:00] Well, we’ve heard from Microsoft that they actually like it because 00:25:13.580 --> 00:25:16.450 they’re getting research that they would not otherwise do. 00:25:16.450 --> 00:25:21.281 Especially the security folks; they can go to their management and go look, the secure 00:25:21.281 --> 00:25:26.210 initiative that we want to do, these mitigations that we want to implement, see, at Pwn2Own 00:25:26.210 --> 00:25:27.380 were getting popped. 00:25:27.380 --> 00:25:32.559 If we implement this mitigation, maybe we won’t get popped so easily. 00:25:32.559 --> 00:25:37.690 I wouldn’t say they love it but I think they – that they definitely appreciate it. 00:25:37.690 --> 00:25:42.020 Most of our vendors we have a very good relationship with so that they know that we’re also a 00:25:42.020 --> 00:25:47.470 fair broker and we’re not gonna do stuff just to make ourselves look good. 00:25:47.470 --> 00:25:49.710 They know that overall, their products are gonna get more secure. 00:25:49.710 --> 00:25:54.130 BRIAN: I think you can look at the contest, too, over the years, too, is that early days 00:25:54.130 --> 00:25:59.330 in Pwn2Own, a lot of these vendors were not really enjoying being part of the contest 00:25:59.330 --> 00:26:02.120 but over the years they’ve actually started to see the value. 00:26:02.120 --> 00:26:05.919 They’ve actually started to sponsor the conference and they want to be more involved 00:26:05.919 --> 00:26:07.590 with the actual research community. 00:26:07.590 --> 00:26:12.390 As a result, you’re seeing a lot of these vendors open up and use that data to actually 00:26:12.390 --> 00:26:16.539 improve things like the sandbox and the rendering engines inside of the browser. 00:26:16.539 --> 00:26:21.010 JACK: While initially Pwn2Own was just browsers, it’s now expanded well beyond that. 00:26:21.010 --> 00:26:25.760 DUSTIN: [MUSIC] Over the years, we’ve added applications and other technologies. 00:26:25.760 --> 00:26:30.520 It really kinda started with Flash and Java which kinda makes sense ‘cause that’s 00:26:30.520 --> 00:26:32.030 things that are occurring in the browser. 00:26:32.030 --> 00:26:37.659 But then we ended up adding enterprise applications like Microsoft Office and Adobe Reader. 00:26:37.659 --> 00:26:43.650 Phones at some point came into it as well with the BlackBerry and iPhones. 00:26:43.650 --> 00:26:47.830 Then we really started focusing on the operating system and sandbox escapes. 00:26:47.830 --> 00:26:55.599 In 2016, we introduced the virtualization category, then we added in 2018 IoT devices, 00:26:55.599 --> 00:27:03.419 and in 2020 we even added Pwn2Own specifically for industrial control systems and SCADA products. 00:27:03.419 --> 00:27:08.720 It’s really grown over the years as it’s formalized to really spread out and look at 00:27:08.720 --> 00:27:14.029 a wide range of enterprise products, consumer products, and now ICS and SCADA products. 00:27:14.029 --> 00:27:16.429 JACK: This event has made quite a name for itself. 00:27:16.429 --> 00:27:20.809 Vendors know exactly what day Pwn2Own is happening and sometimes push patches to their products 00:27:20.809 --> 00:27:22.630 just before the event. 00:27:22.630 --> 00:27:27.940 But I do wonder what vendors think when they get added to the list of targets in Pwn2Own. 00:27:27.940 --> 00:27:32.860 Do their eyes widen when they realize they’re now gonna be in the crosshairs of the world’s 00:27:32.860 --> 00:27:33.860 greatest hackers? 00:27:33.860 --> 00:27:38.149 DUSTIN: Yes, we’ve had vendors actually try to opt out of participating but we let 00:27:38.149 --> 00:27:40.450 them know that’s not really an option. 00:27:40.450 --> 00:27:46.320 But then by the end, they were actually enthusiastic and like Brian says, Microsoft is a co-sponsor 00:27:46.320 --> 00:27:49.320 of Pwn2Own now, as VMware is, too. 00:27:49.320 --> 00:27:53.770 JACK: Now, while Pwn2Own was always about testing the security of browsers, one year 00:27:53.770 --> 00:27:56.180 they didn’t allow testing in Firefox. 00:27:56.180 --> 00:28:01.649 DUSTIN: [MUSIC] Yes, there was one year we did not include Firefox primarily because 00:28:01.649 --> 00:28:06.470 they hadn’t made any significant new security improvements over the year. 00:28:06.470 --> 00:28:08.520 At the time, they weren’t even sandboxed. 00:28:08.520 --> 00:28:11.490 JACK: Yeah, Firefox just wasn’t updating the security of their browsers enough for 00:28:11.490 --> 00:28:13.720 ZDI to feel confident in testing it. 00:28:13.720 --> 00:28:18.190 In fact, Brian was quoted saying “We wanted to focus on browsers that have made serious 00:28:18.190 --> 00:28:21.340 security improvements in the last year.” 00:28:21.340 --> 00:28:27.059 When the Firefox CEO saw that, he tweeted “Ouch”, which I think was quite embarrassing 00:28:27.059 --> 00:28:28.169 for them. 00:28:28.169 --> 00:28:32.080 But since then, Firefox has been included again and they’re putting a lot of focus 00:28:32.080 --> 00:28:34.170 into securing their product. 00:28:34.170 --> 00:28:38.840 As Pwn2Own continued and grew year after year, it became more and more prestigious to be 00:28:38.840 --> 00:28:40.390 a prize-winner from the contest. 00:28:40.390 --> 00:28:45.309 In fact, to make things even more prestigious, they started a thing called Master of Pwn. 00:28:45.309 --> 00:28:50.890 DUSTIN: [MUSIC] In 2016, we created this title called Master of Pwn. 00:28:50.890 --> 00:28:55.670 The way Pwn2Own works logistically is at the beginning of the contest, everyone’s name 00:28:55.670 --> 00:28:59.990 who’s participating goes into a hat and we draw names out of a hat and that’s the 00:28:59.990 --> 00:29:02.039 order that you go. 00:29:02.039 --> 00:29:06.470 We’re looking for the first win in a category and that’s the full winner. 00:29:06.470 --> 00:29:10.720 Everything subsequent, the prize money goes down for additional rounds. 00:29:10.720 --> 00:29:16.770 If a Chrome exploit is worth $75,000 in the first round, it may only be worth $35,000 00:29:16.770 --> 00:29:18.860 in the second round. 00:29:18.860 --> 00:29:23.789 There’s a randomness of luck into the contest. 00:29:23.789 --> 00:29:28.580 You might end up with the best research but if you have a bad draw, you get a lot less 00:29:28.580 --> 00:29:29.580 money. 00:29:29.580 --> 00:29:34.760 We introduced the concept of Master of Pwn to crown the overall winner where, okay, that 00:29:34.760 --> 00:29:38.960 Chrome bug is gonna be worth ten points but it’s worth ten points the first round, the 00:29:38.960 --> 00:29:40.640 second round, the third round, and so on. 00:29:40.640 --> 00:29:45.809 If you’ve got the best research but have a bad draw, you could still be crowned the 00:29:45.809 --> 00:29:50.710 overall winner of Pwn2Own, Master of Pwn, if you end up with the most points. 00:29:50.710 --> 00:29:53.730 BRIAN: This is where it got really competitive. 00:29:53.730 --> 00:29:58.550 What ended up happening is in the Pwn2Own evolution, is we started to experience more 00:29:58.550 --> 00:30:00.330 and more teams in the contest. 00:30:00.330 --> 00:30:05.910 The purpose of the team was to actually try to land an exploit in every category and try 00:30:05.910 --> 00:30:11.000 to accumulate enough points to win that Master of Pwn. [00:30:00] Because there’s a lot 00:30:11.000 --> 00:30:16.400 of press and there’s a lot of notoriety that goes along with the Pwn2Own contest, 00:30:16.400 --> 00:30:20.220 companies started to form very large teams to actually compete against other companies. 00:30:20.220 --> 00:30:25.490 Some of the top players in the space was two Chinese companies; one Tencent and the other 00:30:25.490 --> 00:30:32.270 360 who developed really advanced and elite teams to participate in Pwn2Own. 00:30:32.270 --> 00:30:36.260 These teams would be large enough where they would have individual researchers looking 00:30:36.260 --> 00:30:42.059 at different subsystems to find bugs and then would put them all together to actually bring 00:30:42.059 --> 00:30:46.480 a large number of exploit chains to the contest so that they could make an attempt to win 00:30:46.480 --> 00:30:47.679 the Master of Pwn. 00:30:47.679 --> 00:30:51.320 Between those two companies, it was quite competitive. 00:30:51.320 --> 00:30:55.960 What ended up happening one year is that the – during our ten-year anniversary, the two 00:30:55.960 --> 00:30:59.500 teams were very close to winning the actual Master of Pwn award. 00:30:59.500 --> 00:31:03.389 It came down to the rules in the contest. 00:31:03.389 --> 00:31:07.330 The rules in the contest require that you use a zero-day and that it’s unknown to 00:31:07.330 --> 00:31:10.110 the vendor, but occasionally there can be collisions. 00:31:10.110 --> 00:31:15.630 We call them vulnerability collisions where one researcher submits a vulnerability and 00:31:15.630 --> 00:31:19.179 another researcher submits the same vulnerability and a collision occurs. 00:31:19.179 --> 00:31:23.240 As a result, the person who has the first – who uses it first in the contest based 00:31:23.240 --> 00:31:30.289 off of the draw is – gets the points for that specific vulnerability. 00:31:30.289 --> 00:31:37.100 Years prior, the collisions would occur and the – and they would happen within the contest. 00:31:37.100 --> 00:31:41.740 But what ended up happening as we – as the competition for the Master of Pwn became more 00:31:41.740 --> 00:31:46.049 and more important to these companies, they would actually start researching the – basically 00:31:46.049 --> 00:31:51.460 reverse-engineering the other research team’s researchers, looking at how they would go 00:31:51.460 --> 00:31:56.620 about finding bugs and try to find the same bugs that they were finding and submit them 00:31:56.620 --> 00:31:59.049 to the vendor prior to the contest. 00:31:59.049 --> 00:32:05.029 JACK: Yeah, in 2017, the Chinese team from Tencent blocked the Chinese team called 360 00:32:05.029 --> 00:32:08.080 by submitting one of 360’s bugs a few days earlier. 00:32:08.080 --> 00:32:10.000 That’s just crazy to me. 00:32:10.000 --> 00:32:16.570 Tencent didn’t hack 360 directly but instead studied how 360 went about finding bugs. 00:32:16.570 --> 00:32:20.519 I think what happened is someone from 360 gave a talk at a security conference explaining 00:32:20.519 --> 00:32:25.450 how to look for bugs or something like that, and someone from the rival team of Tencent 00:32:25.450 --> 00:32:31.899 was there and took notes and learned the technique and found bugs that 360 probably would have 00:32:31.899 --> 00:32:33.649 found. 00:32:33.649 --> 00:32:39.000 They told Google about this just to mess with 360 to keep them from getting points for that 00:32:39.000 --> 00:32:40.000 bug. 00:32:40.000 --> 00:32:44.700 That’s wild, but this rivalry between Tencent and 360 goes way beyond Pwn2Own. 00:32:44.700 --> 00:32:49.019 These two companies have been feuding over things for a long time and they’re not just 00:32:49.019 --> 00:32:51.350 fighting over who’s the Master of Pwn. 00:32:51.350 --> 00:32:54.639 DUSTIN: The title comes with a trophy. 00:32:54.639 --> 00:32:59.090 That’s very important to them as well, and it usually comes with a jacket. 00:32:59.090 --> 00:33:02.860 We have a lot of fun with the various jackets that we’ve had over the years. 00:33:02.860 --> 00:33:04.610 We’ve had a smoking jacket. 00:33:04.610 --> 00:33:07.080 The tenth anniversary, we had a custom bomber jacket made up. 00:33:07.080 --> 00:33:09.360 It was really cool. 00:33:09.360 --> 00:33:15.169 This year we have a custom hazmat suit for the Pwn to – Master of Pwn winner. 00:33:15.169 --> 00:33:20.170 But really, it’s the notoriety that they’re looking for. 00:33:20.170 --> 00:33:25.020 That title of Master of Pwn, it’s – especially in certain communities, it’s really well-respected. 00:33:25.020 --> 00:33:31.019 JACK: [MUSIC] Okay, so this team 360, the same year they were getting blocked by Tencent 00:33:31.019 --> 00:33:33.789 was the same year VMware made its debut at Pwn2Own. 00:33:33.789 --> 00:33:40.350 Now, if you aren’t aware, VMware is a way to run multiple virtual servers on one computer. 00:33:40.350 --> 00:33:45.139 Years ago, you might have one mail server and one domain server and one web server, 00:33:45.139 --> 00:33:49.820 and each one of these were on their own physical computer in a data center somewhere. 00:33:49.820 --> 00:33:56.019 But with VMware, there’s now one physical server with many virtual servers inside it, 00:33:56.019 --> 00:33:57.561 all separated into their own container. 00:33:57.561 --> 00:34:01.960 They can all share the same hardware resources. 00:34:01.960 --> 00:34:06.980 It’s important to test VMware for security holes since it runs all these different operating 00:34:06.980 --> 00:34:08.010 systems. 00:34:08.010 --> 00:34:12.200 The way Pwn2Own set up the contest was they installed the latest version of Windows, then 00:34:12.200 --> 00:34:17.740 installed the latest version of VMware workstation, and in that VMware workstation they installed 00:34:17.740 --> 00:34:20.510 another latest version of Windows. 00:34:20.510 --> 00:34:25.169 From the virtual Windows computer, they loaded up the Edge browser and went to 360’s website. 00:34:25.169 --> 00:34:27.000 BRIAN: That’s all you had to do. 00:34:27.000 --> 00:34:33.419 At that point, we took our hands off of the computer and watched the exploit work, effectively. 00:34:33.419 --> 00:34:40.190 What was happening behind the scenes is they were abusing a vulnerability in the browser 00:34:40.190 --> 00:34:45.419 that would allow them to get an exploit primitive that would allow them to do an out-of-bound 00:34:45.419 --> 00:34:47.880 write and an out-of-bound read. 00:34:47.880 --> 00:34:50.359 This would allow them to exploit the browser. 00:34:50.359 --> 00:34:56.780 Then they started to attack the Windows kernel because the vulnerability in VMware that they 00:34:56.780 --> 00:35:01.570 needed to access was one that required an escalation of privilege. 00:35:01.570 --> 00:35:07.859 It needed to be running an escalation to get access to that drive. 00:35:07.859 --> 00:35:11.430 Once they exploited the [00:35:00] operating system, the guest operating system, they started 00:35:11.430 --> 00:35:17.589 attacking the VGA driver of VMware workstation. 00:35:17.589 --> 00:35:23.660 Once they finished exploiting the VMware VGA driver in VMware, the screen in the guest 00:35:23.660 --> 00:35:28.240 operating system would resize and then a calculator would pop up. 00:35:28.240 --> 00:35:33.690 Now, that calculator would normally be in the guest operating system but in this case, 00:35:33.690 --> 00:35:36.640 that calculator was actually running on the host operating system. 00:35:36.640 --> 00:35:42.130 They were actually able to get code execution in the browser, then get code execution on 00:35:42.130 --> 00:35:46.580 the guest operating system, then exploit a vulnerability in VG – in the VGA driver 00:35:46.580 --> 00:35:52.369 in VMware workstation which would allow them to escape the VMware workstation hypervisor 00:35:52.369 --> 00:35:58.290 and execute code on the host operating system to completely compromise the actual host operating 00:35:58.290 --> 00:35:59.290 system. 00:35:59.290 --> 00:36:02.460 JACK: Wow, that is so incredible to me. 00:36:02.460 --> 00:36:06.670 That’s honestly one of the most astounding hacks I’ve ever heard of. 00:36:06.670 --> 00:36:11.500 You should not be able to take control over a computer by just browsing to a website. 00:36:11.500 --> 00:36:15.970 That alone is still blowing my mind that teams are able to do that at Pwn2Own practically 00:36:15.970 --> 00:36:17.330 every year. 00:36:17.330 --> 00:36:22.930 But then escape out of the virtual computer and get full access to the host computer? 00:36:22.930 --> 00:36:29.230 That’s just insane because the guest operating system should absolutely have no way to access 00:36:29.230 --> 00:36:31.960 the host’s operating system. 00:36:31.960 --> 00:36:36.750 For instance, I’ve seen honeypots ran from within VMs and I’ve seen people using VMs 00:36:36.750 --> 00:36:41.450 to open malware or phishing e-mails or browse the shady sites because what’s the worst 00:36:41.450 --> 00:36:42.619 that could happen? 00:36:42.619 --> 00:36:48.270 The VM could be infected but that’s easy to delete and create a new one. 00:36:48.270 --> 00:36:56.120 But now, now we see 360 demonstrate that no, it is possible to escape out of a virtual 00:36:56.120 --> 00:37:01.300 machine and get access to the host computer. 00:37:01.300 --> 00:37:02.940 That just sends chills through me. 00:37:02.940 --> 00:37:08.960 BRIAN: It was crazy to watch and the first time I saw it, I was amazed to see how efficient 00:37:08.960 --> 00:37:12.890 it was and how amazing the actual exploit was. 00:37:12.890 --> 00:37:15.040 I remember it took quite a bit of time. 00:37:15.040 --> 00:37:18.650 It took I think a minute or two to actually pull off because it was a lot of activity 00:37:18.650 --> 00:37:26.930 going on in the exploit but when it popped calc on the host, everybody cheered and was 00:37:26.930 --> 00:37:30.690 quite excited to see that actually happen live in front of everybody. 00:37:30.690 --> 00:37:36.230 JACK: 360 won $105,000 for demonstrating that attack chain. 00:37:36.230 --> 00:37:40.099 There’s so many incredible exploits that get demonstrated at Pwn2Own. 00:37:40.099 --> 00:37:42.069 I’m fascinated by so many. 00:37:42.069 --> 00:37:46.440 For instance, George Hotz has competed in this and walked away with prize money multiple 00:37:46.440 --> 00:37:47.440 times. 00:37:47.440 --> 00:37:52.040 He’s the guy who jailbroke the first iPhone, modified the PlayStation which caused a crazy 00:37:52.040 --> 00:37:56.990 lawsuit, and is a member of the PPP CTF team which has won like, six black badges at Defcon 00:37:56.990 --> 00:38:02.450 now and has created a company which develops software for self-driving cars. 00:38:02.450 --> 00:38:07.890 [MUSIC] There’s another team I think is worth mentioning; it’s called Fluoroacetate. 00:38:07.890 --> 00:38:12.570 DUSTIN: Yeah, that’s their team name and it’s actually a pun because it’s based 00:38:12.570 --> 00:38:15.430 off of a pesticide, so they’re bug-killers. 00:38:15.430 --> 00:38:19.350 JACK: It’s made up of two people, Richard Zhu and Amat Cama. 00:38:19.350 --> 00:38:21.280 DUSTIN: They’re definitely an interesting pair. 00:38:21.280 --> 00:38:26.240 Amat is from Senegal and then Richard lives on – in the US. 00:38:26.240 --> 00:38:30.300 JACK: Before forming the team, they had both been going to Pwn2Own just as independent 00:38:30.300 --> 00:38:31.300 researchers. 00:38:31.300 --> 00:38:37.090 In 2017, Richard Zhu brought an exploit for the Microsoft Edge browser to demonstrate. 00:38:37.090 --> 00:38:42.390 The Pwn2Own contest organizers used Microsoft Edge to browse to Richard’s server and that’s 00:38:42.390 --> 00:38:43.770 it; hands off the keyboard. 00:38:43.770 --> 00:38:48.020 From there, Richard tried to use that session to take over that computer. 00:38:48.020 --> 00:38:50.020 But something went wrong on his first attempt. 00:38:50.020 --> 00:38:51.780 The exploit didn’t work. 00:38:51.780 --> 00:38:56.670 Now, contestants have five minutes to show their exploit and while up there on stage 00:38:56.670 --> 00:39:01.990 all alone, Richard began typing, fixing his exploit on the timer. 00:39:01.990 --> 00:39:03.470 He said okay, try again. 00:39:03.470 --> 00:39:06.820 So, the contest organizers tried again and went to his website. 00:39:06.820 --> 00:39:10.810 He tried to exploit the browser but it didn’t work again. 00:39:10.810 --> 00:39:14.099 There was still time on the clock, so Richard went back to troubleshooting, trying to get 00:39:14.099 --> 00:39:15.609 the exploit to reliably trigger. 00:39:15.609 --> 00:39:20.340 BRIAN: I remember his hands were shaking quite a bit as we got closer to the end of the clock. 00:39:20.340 --> 00:39:21.880 JACK: Can you imagine? 00:39:21.880 --> 00:39:23.510 You’re at the yearly Pwn2Own. 00:39:23.510 --> 00:39:26.819 Everyone is watching to see if you’ve got what it takes and you’re trying to type 00:39:26.819 --> 00:39:29.690 and debug code live in front of people. 00:39:29.690 --> 00:39:32.010 It’s gotta be nerve-wracking. 00:39:32.010 --> 00:39:36.319 But he got something ready and he asked them to try again, and this time it worked. 00:39:36.319 --> 00:39:40.240 He was able to take control of that session and open a calculator on the computer that 00:39:40.240 --> 00:39:42.020 went to his web server. 00:39:42.020 --> 00:39:46.820 He still had 1:37 left on the clock when it was over. 00:39:46.820 --> 00:39:49.040 He won $70,000 for that exploit. 00:39:49.040 --> 00:39:50.770 That’s who Richard is. 00:39:50.770 --> 00:39:52.550 The other guy on this team is Amat. 00:39:52.550 --> 00:39:56.920 BRIAN: Amat’s specialty was actually – was baseband exploitation. 00:39:56.920 --> 00:39:59.440 JACK: Baseband is a technology that mobile phones use. 00:39:59.440 --> 00:40:02.790 It’s a type of signal with a specific frequency range. 00:40:02.790 --> 00:40:06.550 If you think about all the different wireless signals coming in and out of your phone; there’s 00:40:06.550 --> 00:40:12.340 WiFi of course, there’s Bluetooth and NFC, [00:40:00] and to make calls, it uses baseband. 00:40:12.340 --> 00:40:18.110 BRIAN: What he is very good at is actually exploiting the baseband processor in the phones. 00:40:18.110 --> 00:40:22.790 JACK: Pwn2Own now has a baseband category for people who want to try to hack phones 00:40:22.790 --> 00:40:24.369 through this wireless signal. 00:40:24.369 --> 00:40:29.200 Here’s the scenario; your phone tries to connect to the nearest base station to get 00:40:29.200 --> 00:40:30.780 a signal from the carrier. 00:40:30.780 --> 00:40:36.579 But suppose someone pulls up with a van right outside your house and in that van is a rogue 00:40:36.579 --> 00:40:40.089 base station acting like a carrier cell tower. 00:40:40.089 --> 00:40:44.210 Well, your phone might connect to that base station. 00:40:44.210 --> 00:40:50.200 The question is, if it does connect to a rogue cell tower, what could that base station do 00:40:50.200 --> 00:40:51.200 to your phone? 00:40:51.200 --> 00:40:56.670 Keep in mind, we’re only talking about the baseband frequency here which is not the same 00:40:56.670 --> 00:41:00.569 as TCPIP or whatever networking we all might be familiar with. 00:41:00.569 --> 00:41:03.510 This is what Amat was researching for Pwn2Own. 00:41:03.510 --> 00:41:07.920 BRIAN: Well, there’s a protocol that happens between the base station and the actual phone 00:41:07.920 --> 00:41:10.730 itself for communication purposes. 00:41:10.730 --> 00:41:15.300 Then usually what ends up happening is Amat will have found a weakness in this – in 00:41:15.300 --> 00:41:20.549 the implementation of this protocol and he’ll exploit a vulnerability inside of the process 00:41:20.549 --> 00:41:25.950 – inside of the baseband processor to gain code execution in that part of the phone. 00:41:25.950 --> 00:41:32.839 Using just stack overflows and some of the more classic vulnerabilities over time, that’s 00:41:32.839 --> 00:41:35.460 what we’ve seen a lot inside of the baseband processors. 00:41:35.460 --> 00:41:38.619 JACK: Okay, so he earns money for that? 00:41:38.619 --> 00:41:40.760 BRIAN: Yes, he does. 00:41:40.760 --> 00:41:47.530 From 2017 to 2019, the Samsung Galaxy was part of the contest and it was actually exploited 00:41:47.530 --> 00:41:50.760 via baseband three years in a row. 00:41:50.760 --> 00:41:52.609 DUSTIN: Each of those was $50,000 plus. 00:41:52.609 --> 00:41:53.609 JACK: Wow. 00:41:53.609 --> 00:41:56.359 I’m just glad that someone is there poking at this stuff. 00:41:56.359 --> 00:42:00.210 There’s so much technology integrated into our personal and private lives that we don’t 00:42:00.210 --> 00:42:03.369 even realize is there, and I sure hope it’s all secure. 00:42:03.369 --> 00:42:07.440 I guess we have Amat to thank for finding vulnerabilities in the way some phones handle 00:42:07.440 --> 00:42:10.690 the baseband processing and getting that stuff fixed. 00:42:10.690 --> 00:42:15.150 But anyway, these two guys Richard and Amat were really doing well at Pwn2Own on their 00:42:15.150 --> 00:42:20.020 own, winning prize money year after year, so they decided to team up and they called 00:42:20.020 --> 00:42:22.220 themselves Team Fluoroacetate. 00:42:22.220 --> 00:42:24.400 From there, they just started dominating. 00:42:24.400 --> 00:42:30.569 DUSTIN: [MUSIC] Well, they kinda take over Pwn2Own for a couple years. 00:42:30.569 --> 00:42:35.790 They really compliment each other very well with how they are able to research. 00:42:35.790 --> 00:42:41.940 Starting at about 2018, they took over Pwn2Own Vancouver as well as Pwn2Own Tokyo and were 00:42:41.940 --> 00:42:44.079 definitely scoring more points than everyone else. 00:42:44.079 --> 00:42:48.630 They were bringing a lot of great research to the contest and leaving with a lot of our 00:42:48.630 --> 00:42:49.630 cash. 00:42:49.630 --> 00:42:55.500 JACK: Alright, so Fluoroacetate retrieved a deleted photo from an iPhone? 00:42:55.500 --> 00:42:59.089 BRIAN: In this case, what we end up doing at the contest is we – the way that you 00:42:59.089 --> 00:43:06.150 demonstrate the code execution on a phone is we have SMS messages and photos on the 00:43:06.150 --> 00:43:07.150 phone that we’ve taken. 00:43:07.150 --> 00:43:13.880 We usually take silly photos before we put the phone inside of the RF enclosure. 00:43:13.880 --> 00:43:19.089 There was a year where we actually – we deleted one of the photos from the phone because 00:43:19.089 --> 00:43:24.480 we did not want it to – it was not something we wanted to show in front of the entire audience. 00:43:24.480 --> 00:43:28.920 But what ended up happening is they actually exploited a vulnerability in the browser and 00:43:28.920 --> 00:43:33.130 retrieved the photo archive from the phone. 00:43:33.130 --> 00:43:37.890 The first photo that they pulled up was actually the photo that we had deleted. 00:43:37.890 --> 00:43:41.690 It was – didn’t show up on the phone as being actively there but it was clearly there 00:43:41.690 --> 00:43:43.830 still in the cache. 00:43:43.830 --> 00:43:48.670 The exploit was actually able to retrieve deleted content from the phone that just hadn’t 00:43:48.670 --> 00:43:50.450 been removed by the cache yet. 00:43:50.450 --> 00:43:53.440 JACK: Everyone was properly shocked by this. 00:43:53.440 --> 00:43:57.770 The Pwn2Own guys were like, how did they recover a deleted photo? 00:43:57.770 --> 00:44:00.300 It’s been deleted from the phone. 00:44:00.300 --> 00:44:03.980 But not only that; again, the simplicity of this is just so stunning to me. 00:44:03.980 --> 00:44:09.220 Just by going to a malicious website is all the user had to do to get their phone completely 00:44:09.220 --> 00:44:10.220 taken over. 00:44:10.220 --> 00:44:15.150 There’s no need for the user to click Install on something or accept any weird pop-up. 00:44:15.150 --> 00:44:17.380 Just visiting the website was all it took. 00:44:17.380 --> 00:44:24.250 DUSTIN: In 2019, we partnered with Tesla to have it – a Model 3 available to hack at 00:44:24.250 --> 00:44:25.250 Pwn2Own. 00:44:25.250 --> 00:44:30.250 As part of that, we got different head units from Tesla and we shipped them around the 00:44:30.250 --> 00:44:33.589 world to various researchers including Richard and Amat. 00:44:33.589 --> 00:44:38.059 JACK: Okay, so the head unit is just the electronics inside the car, the infotainment system on 00:44:38.059 --> 00:44:41.890 the front dashboard, really, because that head unit can basically control the whole 00:44:41.890 --> 00:44:42.890 car. 00:44:42.890 --> 00:44:45.660 If you can exploit that, you can pretty much take over the whole car. 00:44:45.660 --> 00:44:50.390 They shipped these head units out to some of the contestants like Richard and Amat to 00:44:50.390 --> 00:44:51.390 try to hack into it. 00:44:51.390 --> 00:44:56.510 DUSTIN: Amat forgot that Senegal runs its electricity different than California. 00:44:56.510 --> 00:45:03.440 He plugged it into a 220 outlet when it was set to 110 and it immediately fried the head 00:45:03.440 --> 00:45:05.460 unit. JACK: Oh, man. 00:45:05.460 --> 00:45:06.460 Ouch. 00:45:06.460 --> 00:45:09.670 But he got a new power brick and he was lucky that was the only [00:45:00] thing that got 00:45:09.670 --> 00:45:10.670 fried. 00:45:10.670 --> 00:45:14.430 Once they had the Tesla head unit all back together, they started hacking away at it 00:45:14.430 --> 00:45:15.770 and they found an exploit. 00:45:15.770 --> 00:45:20.099 They brought their exploit to the Pwn2Own event where there was a complete Tesla Model 00:45:20.099 --> 00:45:22.030 3 in the parking lot. 00:45:22.030 --> 00:45:25.880 Inside the Tesla on the dashboard is a little computer with a touch screen and everything, 00:45:25.880 --> 00:45:27.750 and on that is a web browser. 00:45:27.750 --> 00:45:32.640 From that web browser, they visited Team Fluoroacetate’s website and they were able to exploit that 00:45:32.640 --> 00:45:34.600 session and take over the Tesla. 00:45:34.600 --> 00:45:38.280 DUSTIN: That was enough for them to win a Tesla Model 3. 00:45:38.280 --> 00:45:40.010 JACK: Of course they got to keep the car. 00:45:40.010 --> 00:45:41.010 It’s Pwn2Own. 00:45:41.010 --> 00:45:42.880 If you pwn it, you own it, remember? 00:45:42.880 --> 00:45:44.320 Ah, this contest is cool. 00:45:44.320 --> 00:45:47.690 It really brings out some crazy bugs that should have absolutely been fixed. 00:45:47.690 --> 00:45:52.150 DUSTIN: From my perspective, one of the things I like about the contest is it really allows 00:45:52.150 --> 00:45:55.440 us to guide researchers in specific areas. 00:45:55.440 --> 00:46:00.270 What usually happens is we’re sitting around just trying to come up with what categories 00:46:00.270 --> 00:46:04.600 we want to see really cool research in, and then we include that in Pwn2Own. 00:46:04.600 --> 00:46:08.869 Then hopefully that encourages researchers to do research in that area and then report 00:46:08.869 --> 00:46:09.869 those bugs. 00:46:09.869 --> 00:46:14.920 That’s kinda how we came up with the virtualization category, is we just said we want to see VMware 00:46:14.920 --> 00:46:17.160 bugs and we weren’t getting any in the program. 00:46:17.160 --> 00:46:21.980 Then we started getting VMware bugs and now we get quite a few, starting with just a couple 00:46:21.980 --> 00:46:23.730 in 2017. 00:46:23.730 --> 00:46:26.040 That to me is a great value to the program as well. 00:46:26.040 --> 00:46:27.040 BRIAN: Yeah, it’s quite fun. 00:46:27.040 --> 00:46:31.599 I think from my perspective, I’ve been involved in it – with it now for quite a bit of time 00:46:31.599 --> 00:46:37.330 and you really get to see the change in the way that the community approaches the problem 00:46:37.330 --> 00:46:39.119 of exploitation. 00:46:39.119 --> 00:46:44.750 Back when I first started it was small teams, individuals participating in the program, 00:46:44.750 --> 00:46:49.750 and then small companies got involved like Vupen where they would actually have a workforce 00:46:49.750 --> 00:46:53.850 that was developing exploits for the contest and then very large organizations, some of 00:46:53.850 --> 00:46:59.069 the biggest companies in China participating at a large scale, bringing exploits for every 00:46:59.069 --> 00:47:02.190 single category, every single target. 00:47:02.190 --> 00:47:09.560 Then it’s shifting back to the small, individual researchers again. 00:47:09.560 --> 00:47:13.500 The fact that it is possible to write some of these exploits and research these attack 00:47:13.500 --> 00:47:17.300 surfaces as an individual I think is important for people to see. 00:47:17.300 --> 00:47:22.700 Then now, again, we’ve got small teams starting to participate again. 00:47:22.700 --> 00:47:27.609 JACK: While Pwn2Own is not really a spectator sport, it’s still an exciting contest. 00:47:27.609 --> 00:47:31.890 They don’t really show anything to the audience because they need to verify the exploit before 00:47:31.890 --> 00:47:35.050 giving points and they don’t want other teams to see how it was done. 00:47:35.050 --> 00:47:37.670 So, there’s not much to see if you go. 00:47:37.670 --> 00:47:42.530 But what happens in the wires is where the exciting part happens and the people who compete 00:47:42.530 --> 00:47:45.010 in it, yeah, I’m gonna say this is the big leagues. 00:47:45.010 --> 00:47:49.210 It’s a place to demonstrate you’re one of the top-tier hackers in the world which 00:47:49.210 --> 00:47:53.030 brings us back to Pedro and Radek, the two guys you heard at the beginning. 00:47:53.030 --> 00:47:55.670 Together, they’re known as Team Flashback. 00:47:55.670 --> 00:48:00.510 I had the chance to talk with them after they won the Masters of Pwn in November, 2020. 00:48:00.510 --> 00:48:04.609 PEDRO: Okay, so our team is called Flashback. 00:48:04.609 --> 00:48:09.650 We just thought it was quite a cool name to have and we just went with it. 00:48:09.650 --> 00:48:14.870 Also kind of related to hardware hacking which was pretty much what we do, right, is flashing 00:48:14.870 --> 00:48:15.870 something, you know? 00:48:15.870 --> 00:48:17.309 Hence, Flashback. 00:48:17.309 --> 00:48:21.940 JACK: This is Pedro but I’ve gotta say both Pedro and Radek do sound very similar to me. 00:48:21.940 --> 00:48:27.030 PEDRO: So, we met – actually, the way we met was Radek hired me. 00:48:27.030 --> 00:48:33.170 He hired me as an external consultant for the company he was working at the time. 00:48:33.170 --> 00:48:35.250 We got along pretty well. 00:48:35.250 --> 00:48:38.130 Fast forward, we like the same stuff. 00:48:38.130 --> 00:48:41.960 For example, we like motorbikes, so we’d go on motorbike trips. 00:48:41.960 --> 00:48:44.180 This was 2018. 00:48:44.180 --> 00:48:49.750 We decided that we wanted to do something together when we were in one of these motorbike 00:48:49.750 --> 00:48:51.350 trips. 00:48:51.350 --> 00:48:56.640 Then the initial idea was for us to provide some training, specialized training in this 00:48:56.640 --> 00:48:57.640 area. 00:48:57.640 --> 00:49:02.390 But then this opportunity of Pwn2Own just appeared out of nowhere. 00:49:02.390 --> 00:49:07.530 I just remember – Radek, I just suggested to him, and from then on it just caught fire, 00:49:07.530 --> 00:49:08.530 you know? 00:49:08.530 --> 00:49:11.260 Then we just decided to go for all Pwn2Owns we could. 00:49:11.260 --> 00:49:13.240 JACK: Okay, now, hold on a second. 00:49:13.240 --> 00:49:18.819 It doesn’t work that way because trying to find a zero-day vulnerability in some of 00:49:18.819 --> 00:49:24.319 the most secure software; I mean, the browsers are working really hard. 00:49:24.319 --> 00:49:29.030 You’re going against Google engineers here and Microsoft engineers to say we think we 00:49:29.030 --> 00:49:32.660 can find something that you guys overlooked. 00:49:32.660 --> 00:49:37.920 What gave you that confidence that you think you can find zero-day vulnerabilities? 00:49:37.920 --> 00:49:43.000 Have you historically been good at finding these things or why this? 00:49:43.000 --> 00:49:48.059 RADEK: As Pedro mentioned, we know each other for some time already. 00:49:48.059 --> 00:49:55.230 When I hired Pedro for the project that I was doing at work, we team up pretty fast 00:49:55.230 --> 00:49:56.230 together. 00:49:56.230 --> 00:50:02.670 We were starting to find vulns in software for Cloud, for network devices. 00:50:02.670 --> 00:50:08.690 It immediately clicked, our personality, that we can work for – efficient together and 00:50:08.690 --> 00:50:11.799 [00:50:00] find zero-days or vulns super-fast. 00:50:11.799 --> 00:50:21.400 Yeah, if you look actually at our history or achievements; so, Pedro has like, I don’t 00:50:21.400 --> 00:50:24.880 know, what, is it like over 100 RCEs under his name? 00:50:24.880 --> 00:50:30.390 I always thought I would stay in the shadows so I didn’t publish a lot of vulnerabilities. 00:50:30.390 --> 00:50:35.000 But I think we had quite a lot of achievements already, this far. 00:50:35.000 --> 00:50:39.920 JACK: RCE is remote code execution and yeah, Googling Pedro’s name, I see a bunch of 00:50:39.920 --> 00:50:44.500 hits of vulnerabilities with his name on them, specifically vulnerabilities which allow him 00:50:44.500 --> 00:50:49.460 to execute remote commands on a device using an unknown vulnerability. 00:50:49.460 --> 00:50:52.880 For this team, they’re both professionals in the security field who like looking for 00:50:52.880 --> 00:50:54.240 vulnerabilities in products. 00:50:54.240 --> 00:50:56.310 PEDRO: Yeah, we had some experience. 00:50:56.310 --> 00:51:01.910 Like you said, we just clicked together and then yeah, we just – it’s a game of perseverance, 00:51:01.910 --> 00:51:02.910 right? 00:51:02.910 --> 00:51:05.080 Finding any vulnerability is all about perseverance. 00:51:05.080 --> 00:51:10.150 I mean, how hard and how deep you want to go and what kind of patience you have ‘cause 00:51:10.150 --> 00:51:11.290 it really tests your patience. 00:51:11.290 --> 00:51:15.650 JACK: What they like poking at most are hardware devices like routers that you would find in 00:51:15.650 --> 00:51:16.790 your house. 00:51:16.790 --> 00:51:20.890 These are physical devices, yes, but they have software running on them, too. 00:51:20.890 --> 00:51:25.460 This combination of how the software interacts with the hardware is where they’re looking 00:51:25.460 --> 00:51:26.460 for vulnerabilities. 00:51:26.460 --> 00:51:31.640 RADEK: For us, the approach is, well, we both work together on the target. 00:51:31.640 --> 00:51:35.220 We are in different time zones so we can kind of split the work. 00:51:35.220 --> 00:51:40.089 That works super-good because when I wake up, I got some results from Pedro. 00:51:40.089 --> 00:51:43.200 Then he takes over and so, I take over. 00:51:43.200 --> 00:51:45.510 That works pretty good. 00:51:45.510 --> 00:51:51.460 JACK: Are you both having a way or trying to do the same kind of thing or is somebody 00:51:51.460 --> 00:51:55.040 good at networking while the other one’s good at reverse engineering? 00:51:55.040 --> 00:51:58.230 What are your strong points in – as a team here? 00:51:58.230 --> 00:52:04.770 RADEK: We have a lot of overlaps in terms of finding vulns or exploitation but obviously, 00:52:04.770 --> 00:52:09.670 one each of us had a bit more edge on specific aspects. 00:52:09.670 --> 00:52:15.810 For instance, I am a little bit better at the hardware side, so taking the VMware from 00:52:15.810 --> 00:52:24.230 the devices and doing some hardware modification while Pedro is better in writing exploits. 00:52:24.230 --> 00:52:28.369 While we both could do the same, it’s just way – much faster, efficient, if you focus 00:52:28.369 --> 00:52:31.680 on the areas that you are better in. 00:52:31.680 --> 00:52:34.500 Still, when we always work on a target, we always work together. 00:52:34.500 --> 00:52:37.849 We never like to disconnect the activities. 00:52:37.849 --> 00:52:44.420 We always go through it together with the the attack vectors, and so on. 00:52:44.420 --> 00:52:46.579 We always are in sync full-time. 00:52:46.579 --> 00:52:51.230 PEDRO: The goal is to always achieve remote code execution. 00:52:51.230 --> 00:52:57.040 In our jobs, we kinda do a little bit different role because we’re more on the defensive 00:52:57.040 --> 00:53:02.200 side or offensive, but to try to help companies. 00:53:02.200 --> 00:53:06.720 We basically catalogue all the vulnerabilities we found. 00:53:06.720 --> 00:53:10.730 Can be some file disclosure, some unauthenticated download, et cetera. 00:53:10.730 --> 00:53:15.650 But for Pwn2Own, really, all we care is get control of the device and gain remote code 00:53:15.650 --> 00:53:19.230 execution by whatever means possible. 00:53:19.230 --> 00:53:24.140 Sometimes those means can be quite simple in some cases and other times can be very 00:53:24.140 --> 00:53:30.490 convoluted, very complicated with exploits, chaining five and six exploits into one in 00:53:30.490 --> 00:53:34.390 order to get this remote code execution. 00:53:34.390 --> 00:53:39.890 JACK: [MUSIC] One of the vulnerabilities they found was on a normal off-the-shelf home router. 00:53:39.890 --> 00:53:44.270 They got one and looked inside at the software and they saw what services were running on 00:53:44.270 --> 00:53:48.520 this router and started scrutinizing each service to see if any of them had a vulnerability. 00:53:48.520 --> 00:53:54.440 After a week, they had developed a fully-functional remote code execution. 00:53:54.440 --> 00:53:58.320 Here’s how that works; these routers sit in our homes, okay? 00:53:58.320 --> 00:54:03.380 One side is connected to all the computers inside the home and the other side is connected 00:54:03.380 --> 00:54:05.859 to the internet, your ISP. 00:54:05.859 --> 00:54:10.780 They found a way to craft a packet in such a way that the router would process it and 00:54:10.780 --> 00:54:13.320 then execute whatever commands were in that payload. 00:54:13.320 --> 00:54:18.099 PEDRO: But in this case was quite tricky because we could only really inject one or two characters 00:54:18.099 --> 00:54:19.210 at a time. 00:54:19.210 --> 00:54:25.609 What we did is we basically wrote a file to the operating system by exploiting the vulnerability 00:54:25.609 --> 00:54:31.290 multiple times, injecting one character at a time until we build the command we wanted, 00:54:31.290 --> 00:54:33.000 and then we just executed that file. 00:54:33.000 --> 00:54:34.869 That’s how we got our root shell. 00:54:34.869 --> 00:54:38.710 JACK: When they were able to conduct this exploit for the first time, it was quite exciting. 00:54:38.710 --> 00:54:44.990 RADEK: Oh yeah, this is the best feeling in the world, you can say. 00:54:44.990 --> 00:54:50.930 People might think that the more exploits you develop and you have, it’s kind of – get 00:54:50.930 --> 00:54:57.369 normal but for me at least and I see with Pedro as well, every single time we got the 00:54:57.369 --> 00:55:01.490 new exploit, a new RCE, it’s just like a fresh, completely new experience. 00:55:01.490 --> 00:55:06.430 You are super-hyped and super-happy that you finally got it. 00:55:06.430 --> 00:55:12.569 You feel like you walk elevated and you just don’t want to stop. 00:55:12.569 --> 00:55:13.930 [00:55:00] That’s the super-big reward. 00:55:13.930 --> 00:55:17.530 PEDRO: Yeah, you giggle like a schoolgirl, really. 00:55:17.530 --> 00:55:18.910 RADEK: Yeah. 00:55:18.910 --> 00:55:21.880 JACK: This is such a scary exploit. 00:55:21.880 --> 00:55:26.960 Anyone on the internet who has this exploit can send some packets to your router and get 00:55:26.960 --> 00:55:29.220 a root shell from that. 00:55:29.220 --> 00:55:32.640 A root shell means you could do anything you want on that router, including looking at 00:55:32.640 --> 00:55:35.950 all traffic coming in and out of your home. 00:55:35.950 --> 00:55:39.820 This is the kind of exploit that governments and mercenary hackers would love to get their 00:55:39.820 --> 00:55:40.820 hands on. 00:55:40.820 --> 00:55:45.480 But Team Flashback is not interested in selling their vulnerabilities to people like that. 00:55:45.480 --> 00:55:51.970 RADEK: Well, in the first place, we wanted to participate in Pwn2Own, so we were going 00:55:51.970 --> 00:55:56.950 after the targets which were on the list for Pwn2Own. 00:55:56.950 --> 00:55:58.640 We were playing by the rules. 00:55:58.640 --> 00:56:06.880 Of course, we could sell it to the broker or somebody but we believe that was the best 00:56:06.880 --> 00:56:10.470 way forward for us, to participate in Pwn2Own. 00:56:10.470 --> 00:56:18.589 Yeah, I think this is a pretty dangerous exploit, especially the one side. 00:56:18.589 --> 00:56:25.970 The things that NSA or any malicious actor has some capabilities could hack any router 00:56:25.970 --> 00:56:28.460 of this type, the home router. 00:56:28.460 --> 00:56:36.220 Actually, two of our exploits were delivering a persistent back door. 00:56:36.220 --> 00:56:42.030 Once you exploit it, the user is not even aware of the exploit being planted or the 00:56:42.030 --> 00:56:48.240 back door being planted on your device which actually survives factory reset. 00:56:48.240 --> 00:56:51.730 It will stay there forever until we hack it back. 00:56:51.730 --> 00:56:52.730 JACK: Wow. 00:56:52.730 --> 00:56:56.410 Okay, yeah, I mean, you want to do Pwn2Own ‘cause you want to prove you’re the Masters 00:56:56.410 --> 00:57:00.619 of Pwn and the best hackers in the world. 00:57:00.619 --> 00:57:03.520 PEDRO: That was our goal, yeah. 00:57:03.520 --> 00:57:08.070 I mean, it’s all about motivation, right? 00:57:08.070 --> 00:57:10.319 Our motivation is not money. 00:57:10.319 --> 00:57:11.319 We can tell you. 00:57:11.319 --> 00:57:15.420 I’m talking for myself, but I know Radek thinks the same. 00:57:15.420 --> 00:57:18.760 We could make a lot more money selling this in the gray market. 00:57:18.760 --> 00:57:21.560 JACK: You said you’re not motivated by money. 00:57:21.560 --> 00:57:22.880 What are you motivated by? 00:57:22.880 --> 00:57:32.020 PEDRO: I think in my particular case, it’s not as much fame but it’s more like respect. 00:57:32.020 --> 00:57:34.109 I really love hacking. 00:57:34.109 --> 00:57:39.599 As I said, I spend all my waking hours doing it, basically. 00:57:39.599 --> 00:57:43.220 When you love something, you want to be respected by your peers, right? 00:57:43.220 --> 00:57:48.360 It doesn’t mean that I have to be the best guy ever or that people have to fawn over 00:57:48.360 --> 00:57:49.360 me. 00:57:49.360 --> 00:57:50.360 That’s not what I’m looking after. 00:57:50.360 --> 00:57:54.240 I’m looking for to be respected by the same people that you respect, right? 00:57:54.240 --> 00:57:57.920 I think everyone in every field, not just the cyber-security, that’s what they really 00:57:57.920 --> 00:57:59.619 aim for. 00:57:59.619 --> 00:58:02.609 This is a way to do it. 00:58:02.609 --> 00:58:09.520 Honestly, obviously money also plays a role but in the end, I got my other job and Radek 00:58:09.520 --> 00:58:11.839 has got his other job that gives money. 00:58:11.839 --> 00:58:13.920 The Pwn2Own prizes are not bad at all. 00:58:13.920 --> 00:58:20.560 Yeah, we could get more in the gray market but it’s just not worth not having the fame 00:58:20.560 --> 00:58:23.000 and the respect we can get from Pwn2Own. 00:58:23.000 --> 00:58:28.619 JACK: Together, Team Flashback has brought eleven working zero-day exploits to three 00:58:28.619 --> 00:58:33.670 different Pwn2Own events and have taken money home from each event. 00:58:33.670 --> 00:58:37.540 In the November 2020 Pwn2Own, they won Masters of Pwn. 00:58:37.540 --> 00:58:44.320 RADEK: Well, in total, I think it was 50k for 2019 Tokyo. 00:58:44.320 --> 00:58:48.560 PEDRO: 55. RADEK: 55. 00:58:48.560 --> 00:58:51.760 Then 75k for Miami in January. 00:58:51.760 --> 00:58:55.869 That was industrial control systems hacking. 00:58:55.869 --> 00:58:59.099 Now, was the 40, Pedro? 00:58:59.099 --> 00:59:01.270 PEDRO: 40 plus the bonus, I think. 00:59:01.270 --> 00:59:02.730 RADEK: Yeah, plus the bonus; 25k. 00:59:02.730 --> 00:59:04.559 It was – I don’t know how much. 00:59:04.559 --> 00:59:05.559 Around… 00:59:05.559 --> 00:59:12.251 PEDRO: 200k in a year which is pretty good even if divided by two. 00:59:12.251 --> 00:59:15.730 JACK: Wow, you could – yeah, you could live off that. 00:59:15.730 --> 00:59:21.410 RADEK: Well, that’s only our side job, you know, for the weekends. 00:59:21.410 --> 00:59:26.150 PEDRO: Well, I wish, because it consumes a month, but yeah. 00:59:26.150 --> 00:59:27.150 But it was worth it. 00:59:27.150 --> 00:59:29.849 The motivation is not money, right? 00:59:29.849 --> 00:59:33.890 But it’s always good to also have a bit in your pocket. 00:59:33.890 --> 00:59:40.910 JACK: [MUSIC] Now, it’s common to experience something weird when competing at Pwn2Own, 00:59:40.910 --> 00:59:43.460 and Team Flashback had something weird happen to them, too. 00:59:43.460 --> 00:59:48.410 In 2020 they brought six working vulnerabilities to the competition but were only able to execute 00:59:48.410 --> 00:59:49.410 four of them. 00:59:49.410 --> 00:59:53.450 Two of them were mysteriously patched just days before the event. 00:59:53.450 --> 00:59:54.910 They don’t know why. 00:59:54.910 --> 00:59:55.940 Maybe the vendor found it. 00:59:55.940 --> 00:59:58.460 Maybe another team submitted it ahead of time. 00:59:58.460 --> 01:00:00.200 Who knows if something shady went on? 01:00:00.200 --> 01:00:04.039 PEDRO: Yeah, there’s a lot of dirty tricks in the history of ZDI. 01:00:04.039 --> 01:00:06.280 This is a well-known thing. 01:00:06.280 --> 01:00:12.340 From what we heard, unofficially from the ZDI guys, this is quite common or used to 01:00:12.340 --> 01:00:16.920 be quite [01:00:00] common because there’s a thing – there’s been a shift in the 01:00:16.920 --> 01:00:20.049 last few years. 01:00:20.049 --> 01:00:25.790 In the beginning, Pwn2Own was mostly independent researchers and independent teams like us. 01:00:25.790 --> 01:00:27.990 Then it shifted to company-supported. 01:00:27.990 --> 01:00:34.550 For example, Tencent and 360, they still – they’re blocked by the Chinese government to participate 01:00:34.550 --> 01:00:38.049 in Pwn2Own but they have their own Chinese Pwn2Own. 01:00:38.049 --> 01:00:40.760 If you look, they have amazing results. 01:00:40.760 --> 01:00:43.490 I mean, let’s be honest, way better than us. 01:00:43.490 --> 01:00:47.810 But these guys, they’re like basically twenty – the winning team in the Chinese Pwn2Own 01:00:47.810 --> 01:00:51.860 is here; it had nineteen people. 01:00:51.860 --> 01:00:56.230 That plus corporate backing, you can’t really beat as an independent. 01:00:56.230 --> 01:01:00.079 The good side of the Chinese not being allowed to participate in the competition is that 01:01:00.079 --> 01:01:02.320 we’re back again to independent researchers. 01:01:02.320 --> 01:01:07.569 I’d say 50/50; you got company teams but they’re a little bit smaller and the rest 01:01:07.569 --> 01:01:11.280 are independent researchers like myself and Radek. 01:01:11.280 --> 01:01:16.500 JACK: Yeah, in 2018, the Chinese government wrote a new policy to discourage security 01:01:16.500 --> 01:01:20.349 researchers from participating in sharing exploits at foreign hacking competitions like 01:01:20.349 --> 01:01:22.170 Pwn2Own or even CTFs. 01:01:22.170 --> 01:01:26.620 I guess they want to keep the exploits within China and not share them. 01:01:26.620 --> 01:01:27.620 Huh. 01:01:27.620 --> 01:01:31.049 Oh yeah, CTFs; this is a totally different kind of hacker contest. 01:01:31.049 --> 01:01:33.130 It’s called Capture the Flag. 01:01:33.130 --> 01:01:36.799 If you want to know more about this, check out Episode 43 called PPP. 01:01:36.799 --> 01:01:41.620 Actually, in that episode I said whoever wins Defcon’s Capture the Flag contest can rightly 01:01:41.620 --> 01:01:43.549 claim to be the best hackers in the world. 01:01:43.549 --> 01:01:48.319 But I’m starting to think that Pwn2Own is right up there too as being one of the most 01:01:48.319 --> 01:01:50.010 prestigious hacking events. 01:01:50.010 --> 01:01:53.549 I’m pretty sure it’s one of the highest-paying hacker contests, too. 01:01:53.549 --> 01:01:56.930 But like these guys said, there are certainly better hackers out there. 01:01:56.930 --> 01:01:58.809 They’re just in the shadows. 01:01:58.809 --> 01:02:02.400 But it makes you think about how precious a zero-day exploit is. 01:02:02.400 --> 01:02:07.770 Together, Radek and Pedro have found over 200 zero-day exploits which can do remote 01:02:07.770 --> 01:02:12.299 code execution while other governments and mercenary hacker groups out there are buying 01:02:12.299 --> 01:02:19.500 exploits and holding onto them tight, treating them as precious, expensive, top-secret tools. 01:02:19.500 --> 01:02:24.859 What does that say about hackers who have so many zero-days that have no problem demonstrating 01:02:24.859 --> 01:02:30.770 them at contests versus hackers who would never share their zero-days with others? 01:02:30.770 --> 01:02:33.380 I don’t know, actually. 01:02:33.380 --> 01:02:37.520 But I do get worried sometimes that zero-day hacking tools are sometimes only available 01:02:37.520 --> 01:02:42.849 for the elite or rich to buy and are used for nefarious reasons. 01:02:42.849 --> 01:02:47.640 Something like ZDI is out there trying to level that playing field, making those exploits 01:02:47.640 --> 01:02:54.960 no longer usable because we’re all patching our routers and computers and phones and software 01:02:54.960 --> 01:02:57.410 and operating systems, right? 01:02:57.410 --> 01:03:02.230 Because when we apply patches to software, it fixes any vulnerabilities that that vendor 01:03:02.230 --> 01:03:05.630 knows about, rendering attacks like this useless. 01:03:05.630 --> 01:03:09.940 Again, I’m urging you; patch your stuff. 01:03:09.940 --> 01:03:14.039 Guys, how did you celebrate when you won Masters of Pwn? 01:03:14.039 --> 01:03:23.200 PEDRO: Well, due to coronavirus, we can’t celebrate together unfortunately, but I guess 01:03:23.200 --> 01:03:24.420 I got drunk that day. 01:03:24.420 --> 01:03:25.920 I can tell that. 01:03:25.920 --> 01:03:29.359 RADEK: But yeah, it definitely – it is a good feeling. 01:03:29.359 --> 01:03:30.980 We were aiming for Masters of Pwn. 01:03:30.980 --> 01:03:32.880 We are super-happy it happened. 01:03:32.880 --> 01:03:40.410 I’m sure we’re gonna celebrate properly when the coronavirus situation is over and 01:03:40.410 --> 01:03:41.939 we can meet again. 01:03:41.939 --> 01:03:47.500 Probably gonna do some motorbike trip and think about the future, what the next project… 01:03:47.500 --> 01:03:48.500 PEDRO: Hack some more. 01:03:48.500 --> 01:03:51.369 RADEK: …yeah, hack some more stuff. 01:03:51.369 --> 01:04:01.960 (OUTRO): [OUTRO MUSIC] A big thank-you to Dustin Childs and Brian Gorenc from the Zero 01:04:01.960 --> 01:04:02.960 Day Initiative. 01:04:02.960 --> 01:04:05.819 Thanks for all the contests you put together and the money you’ve paid out for this. 01:04:05.819 --> 01:04:08.020 It really does help us all stay more secure. 01:04:08.020 --> 01:04:12.619 2020 marks the 15th anniversary of ZDI and it’s still going strong and bigger than 01:04:12.619 --> 01:04:13.619 ever. 01:04:13.619 --> 01:04:16.340 Can’t wait to see what stories come out in the next fifteen years. 01:04:16.340 --> 01:04:18.870 Also a big thank-you to Pedro and Radek from Team Flashback. 01:04:18.870 --> 01:04:22.029 Congrats on the win and good luck in your next contest. 01:04:22.029 --> 01:04:26.060 If you like this show, if it brings value to you, consider donating to it through Patreon. 01:04:26.060 --> 01:04:30.280 When you buy a book or watch a movie, you pay for it before you know if it’s worth 01:04:30.280 --> 01:04:31.280 money. 01:04:31.280 --> 01:04:34.869 But I give you this show without any upfront costs or barrier so you can decide if it brings 01:04:34.869 --> 01:04:37.040 value to you and is worth supporting. 01:04:37.040 --> 01:04:42.130 Please show your appreciation for the show by visiting patreon.com/darknetdiaries and 01:04:42.130 --> 01:04:43.130 become a member. 01:04:43.130 --> 01:04:44.130 Thank you. 01:04:44.130 --> 01:04:47.819 This show is made by me, the master of nothing, Jack Rhysider. 01:04:47.819 --> 01:04:52.520 Editing help this episode by the little pony, Damienne, and our theme music is by the Saturn 01:04:52.520 --> 01:04:53.579 ring-collector, Breakmaster Cylinder. 01:04:53.579 --> 01:05:00.089 Even though I pour gas on my firewall whenever I really need to stoke that fire inside it, 01:05:00.089 --> 01:05:01.790 this is Darknet Diaries. [01:05:00]