China Hacks Chrome, Safari, Edge, and Office 365; iPhone 11 Attack Fails
Updated. Anything you can do, we can do better. So appears to be the mantra of the Chinese hacking community gathered in the Sichuan city of Chengdu to battle for the Tianfu Cup (TFC), China’s answer to Pwn2Own. According to TFC’s organizers, a total bonus of $1 million has been put up “to deliver a feast of cyber security technologies.” And the leading hackers from the world’s leading hacker nation have not disappointed.
Last year saw the inaugural TFC which demonstrated the talent on show, and the organizers ensured that the West was given good visibility of just how easy its leading hackers found the task of overcoming household name technologies.
Get started on your cybersecurity degree at American Military University.
This year’s TFC is currently ongoing—again the organizers are not holding back on showcasing the tech that is being targeted and the victories subsequently achieved. Geopolitics is heavily at play here. Last year, China “banned” its hackers from participating in international competitions for fear of disclosing too many insider tricks, or, let’s face it, offering an international venue in which hackers would likely be seen by government spooks from multiple countries. China has unsurprisingly been a dominant player in such contests, but now those skills are being kept at home.
With TFC 2019 underway, tweets shared by the organizers claimed successes against Edge, Chrome, Office 365— “within 16 seconds”, Safari, Adobe PDF Reader, VMWare and DLink. The organizers have said “all relevant enterprises and institutions are welcome to register and participate,” the implication being that new vulnerabilities will be shared with vendors. I have asked the organizers to confirm this is the case.
The TFC organizers claim the contest is intended to build “a platform for cyber security enterprises and relevant research institutions to showcase technical achievements, communicate with industrial experts and establish in-depth project collaboration opportunities.” We will see whether a second year of successes sees vendors apply to attend next year’s contest, and how that works out in practice.
In reality, TFC has been designed to provide the benefits of a hacking contest without the risk of exposing people or techniques to an uncontrolled environment. None of which has prevented the country showcasing its talents to the world and sending a message about the vulnerabilities that exist.
Day two of TFC 2019 is underway at the time of writing, with VMWare reportedly hacked and Windows Server and the iPhone 11 still to come.
Updated later on November 17: After this article was first published, the results from day two of the TFC contest were released, claiming successful hacks on VMWare, Adobe and DLink, but attempts on Windows Server and the iPhone 11 late on the second day saw hackers “give up.”
Former Pwn2Own stars Vulcan 360 were the biggest winners at the event, pocketing $382,000 in prize money. The total prize money of $545,000 was less than was awarded last year, failing to meet the expected bounty of $1 million.