This article is more than 1 year old
Come on, hackers, do your worst ‒ Facebook opens Portal gizmo to Pwn2Own exploit fest
Thousands of dollars and new kit up for grabs if you can blow a hole in Zuck's video-conf gear
Facebook is opening its Portal videoconferencing hardware to hackers for the first time at the upcoming Pwn2Own Tokyo competition.
The Social Network will be providing the headliner for the hacking contest, allowing contestants to demonstrate working exploits that can achieve either remote code execution or, barring that, local privilege escalation. Hacking teams from around the world will try their luck and could scoop a cash prize from Facebook of either $60,000 (for an RCE exploit) or $40,000 (for privilege escalation or non-invasive physical attacks), as well as the hardware itself.
Facebook's Oculus subsidiary will also be taking part in the contest, offering up the Oculus Quest VR headset to the "Wearable" category. Like the Portal, winners must show working exploits for remote code execution, privilege escalation, or non-invasive physical attacks (you can touch, but can't crack it open) on a fully-patched headset. Winners will get the unit and either $60,000 or $40,000, depending on the severity of the attack.
Both of the Facebook devices will be tested as part of the Pwn2Own Tokyo contest running on November 6th and 7th at the PacSec conference in Japan. In addition to the Facebook gear, contestants will get a chance to break into the Apple Watch, iPhone XS Max, Samsung Galaxy S10, Huawei P30, and home cameras from Amazon and Nest.
Other targets include routers (TP-Link and Netgear) and smart TVs from Sony and Samsung.
For the smartphones, in addition to getting into the phones via the web browser, contestants will be tasked with breaking into handsets over short-distance wireless (Wi-Fi, Bluetooth, USB), SMS message, or by pretending to be a base station.
Those who show working exploits (usually remote code execution, elevation of privilege, or sandbox escape, depending on the target) get the device and a cash payout, as well as points toward the overall "Master of Pwn" category, which has its own trophy and a Platinum-tier membership in the Trend Micro ZDI program as a reward.
"While only the first demonstration in a category wins the full cash award, each successful entry claims the full number of Master of Pwn points," ZDI notes.
"Since the order of attempts is determined by a random draw, those who receive later slots can still claim the Master of Pwn title – even if they earn a lower cash payout." ®
Biting the hand that feeds IT
