The Tianfu Cup is the most important hacking contest held in China for four years, this year the Chinese experts who took part in it earned 1.88 million dollars by demonstrating how to exploit various vulnerabilities in popular software.
This year’s edition took place last weekend in the Chinese city of Chengdu, as many as twelve teams of Chinese experts were confronted to find vulnerabilities in popular software such as the Windows operating system, the Linux distribution Ubuntu, Google Chrome and the iOS system that runs on Apple devices like iPhones. Below are the prizes offered to participants for each of the 16 objectives of this edition.
13 of the objectives were compromised:
• Windows 10 – hacked 5 times
• Adobe PDF Reader – 4 volte
• Ubuntu 20 – 4 times
• Parallels VM – 3 volte
• iOS 15 – 3 times
• Apple Safari – 2 times
• Google Chrome – 2 times
• ASUS AX56U router – 2 times
• Docker CE – 1 volta
• VMWare ESXi – 1 volta
• VMWare Workstation – 1 volta
• qemu VM – 1 volta
• Microsoft Exchange – 1 turn
The rules of the contest are simple, established a list of software in which to find flaws, the participants had three attempts of five minutes each to prove their existence.
This year’s winner is the team from security firm Kunlun Lab whose members earned a total of $ 654,500 for demonstrating various vulnerabilities in reported software.
But let’s get to the first of the reasons why it is important to follow events like this, namely the discovery of flaws in widely used software that could allow an attacker to compromise the systems that use them without the victims even realizing it.
The Chian Pangu team won the highest prize in the history of this competition for this exploit, a whopping $ 300,000.
Even more interesting is that the flaw discovered allows a remote attacker to execute arbitrary phone code of victims without any iteration on their part.
This type of flaw is extremely dangerous, allowing an attacker to take complete control of the victims’ devices. Similar flaws have been used repeatedly by surveillance software such as the Israeli company NSO Group’s spyware at the center of various criticisms because it is also used to track dissidents, activists and journalists around the world.
The discovery of this flaw, once reported to Apple, could on the one hand increase the security of devices through the release of the necessary patches, but also the discovery of attacks that probably already exploit the flaw.
Participants also demonstrated an exploit for remote code execution against Google Chrome, this is the first time this type of flaw has been demonstrated at the Tianfu Cup. Again, a similar flaw could be exploited to compromise the system. of a Chrome user who is tricked into visiting a site appropriately set up to exploit the vulnerability.
At this year’s edition, no vulnerabilities were demonstrated in the Synology DS220j NAS devices, in the Xiaomi Mi 11 smartphones, and in a Chinese electric vehicle whose name has not been made public.
But observation of the Tianfu Cup is considered important by many intelligence experts mainly because it provides valuable insights into a part of China‘s ecosystem of experts and related capabilities. It is known, in fact, that major Chinese security companies operate on behalf of their government and for this reason some of the flaws discovered may have already been used, or may be in the future, in espionage campaigns attributable to Beijing.
It would be interesting to be able to attend several similar competitions also in Europe and especially in our country. Hacking contests are very important events in which experts from all over the world discuss the state of the art of the main applications we use every day.