On the Tianfu Cup hacker competition in China were hacked iOS, Chrome and more

At the end of last week in the Chinese city of Chengdu ended the hacker competition Tianfu Cup, the largest and most prestigious in the country.

In fact, the Tianfu Cup is very similar to Pwn2Own and was created right after the Chinese government in 2018 prohibited local cybersecurity researchers from participating in hacker competitions organized overseas.

The Tianfu Cup and Pwn2Own rules are also similar.

“The essence of the competition is to exploit previously unknown vulnerabilities and use them to hack a specific application or device. If the exploit works, and the attack succeeds, the researchers receive points for this, and eventually cash prizes”, – say the organizers of the Tianfu Cup.

As with Pwn2Own, all exploits used and bugs found are reported to the developers of the compromised products, and patches are released shortly after the end of the competition.

This year, 15 teams took part in the Tianfu Cup, and they were given three attempts, five minutes each, to hack a selected target using an original exploit. As a result of the competition, the participants demonstrated 23 hacking attempts, many of which were successful.

So, out of 16 targets, it was possible to compromise:

• iOS 14 (running on iPhone 11 Pro);
• Samsung Galaxy S20;
• Windows 10 2004 (April 2020);
• Ubuntu;
• Chrome;
• Safari;
• Firefox;
• Adobe PDF Reader;
• Docker (Community Edition);
• VMWare EXSi (hypervisor);
• QEMU (emulator and virtualizer);
• firmware for TP-Link and ASUS routers.

As in last year, the team of specialists from the Chinese technology giant Qihoo 360 (360 Enterprise Security and Government and (ESG) Vulnerability Research Institute, aka Team 360Vulcan) won by a wide margin. The winners took home $744,500, which is almost two-thirds of the event’s total prize pool, which was $1,210,000 this year.

Second and third places went to the AntFinancial Lightyear Security Lab ($258,000) and private security researcher Pang ($99,500).

Let me remind you that we talk how Pwn2Own passed in virtual environment due to COVID-19.