Windows 10, iOS 15 and Chrome were hacked in China’s Tianfu Cup 2021 competition

Chinese cybersecurity professionals raised $1.88 million in the 2021 Tianfu Cup, the largest and most prestigious hacking competition in the country. During the contest, Windows 10, iOS 15, Google Chrome, Apple Safari, Microsoft Exchange Server, Ubuntu 20 and more were successfully hacked.

The Tianfu Cup is very similar to the famous Pwn2Own competition and was created precisely after the Chinese government banned local cybersecurity researchers from participating in hacker competitions organized overseas in 2018. The rules of Tianfu Cup and Pwn2Own are similar: the essence of the competition is to exploit previously unknown vulnerabilities and use them to hack a specific application or device. If the exploit works and the attack succeeds, the researchers receive points for this, and, as a result, cash prizes.

As well as during Pwn2Own, all exploits used and bugs found are reported to the developers of the compromised products, and patches are released shortly after the end of the competition.

This year, the organizers announced the targets for the attacks in the summer, so participants had three to four months to prepare the exploits. During the competition, researchers are given three attempts, five minutes each, to launch their exploits on devices provided by the organizers.

This time the competition was held on October 16 and 17 in Chengdu city. Experts from the Chinese cybersecurity firm Kunlun Lab became the winners and took home $ 654,500, which is about a third of the total prize pool.

The list of targets for the Tianfu Cup 2021 included 16 devices and software products, and as a result, the competition became one of the most successful: 11 participants successfully implemented attacks against 13 targets.

The only targets that have never been compromised are NAS Synology DS220j, Xiaomi Mi 11 smartphone, and an undisclosed Chinese electric vehicle (not a single participant has even registered for this hack).

But successful exploits have been demonstrated for:

• Windows 10 (jailbroken 5 times)
• Adobe PDF Reader (hacked 4 times);
• Ubuntu 20 (hacked 4 times)
• Parallels VM (hacked 3 times);
• iOS 15 (jailbroken 3 times);
• Apple Safari (hacked 2 times);
• Google Chrome (hacked 2 times);
• ASUS AX56U router (hacked 2 times);
• Docker CE (cracked 1 time);
• VMWare ESXi (cracked 1 time);
• VMWare Workstation (hacked 1 time);
• qemu VM (hacked 1 time);
• Microsoft Exchange (hacked 1 time).

Most exploits exploited vulnerabilities for privilege escalation and remote code execution. However, two attacks stood out from the others. The first was a chain of remote code execution attacks without any interaction with the completely smothered iOS 15 running on the latest iPhone 13. The second was a simple two-tier chain of exploits for remote code execution in Google Chrome.

This year, the competition has attracted worldwide attention, as the iOS exploit shown last year at the Tianfu Cup was eventually used by the Chinese authorities to spy on the Uyghur population. This fact finally convinced many information security specialists that the country’s authorities prohibited Chinese researchers from participating in hacker contests abroad in order to better use their potential for their own operations.

Let me remind you that we also told that the Chinese authorities use AI to analyze emotions of Uyghur prisoners.