In this year’s edition, several tech-giants were “pwned”, including names like Microsoft, Samsung, VMWare, Google, and Apple. The organizers have confirmed successful exploits, some of which never-seen-before, against:
iOS 14 running on an iPhone 11 Pro
Samsung Galaxy S20
Windows 10 v2004 (April 2020 edition)
Adobe PDF Reader
Docker (Community Edition)
VMWare EXSi (hypervisor)
QEMU (emulator & virtualizer)
TP-Link and ASUS router firmware
Tianfu Cup: Details about the Competition
This year, the competition gathered fifteen teams of Chinese hackers, all of which had three 5-minute attempts to hack into a selected target using a unique exploit. Each successful attempt was rewarded with monetary compensation that depended on the target and the vulnerability type. It should be noted that software vendors were informed about the exploits. Patches to address the flaws will be available in the near future.
In fact, reporting the issues to the software companies is part of the contest regulations, similar to the infamous Pwn2Own hacking event’s rules. For example, in 2017, VMWare released a security advisory regarding several critical vulnerabilities demonstrated during Pwn2Own. The flaws could be exploited to escape from the isolation of virtual machines. The teams were awarded $105,000 for the successful exploits.
This was the third year of Tianfu Cup, whereas the Pwn2Own hacking contest has been happening since 2007 twice a year.
$744,500 paid to Qihoo 360’s team of hackers
Who won first place? The winning team, known as “360 Enterprise Security and Government and (ESG) Vulnerability Research Institute,” is from the respected Qihoo 360 company. The team received nearly two-thirds of the entire prize budget or $744,500 out of $1,210,000. Second and third place belong to the AntFinancial Lightyear Security Lab and security researcher Pang.