Our latest HardPwn competition apparently surfaced a record number of vulnerabilities in Google devices for a hardware hacking event.
Google, which participated alongside Meta Quest (formerly Oculus) and drone developer Parrot, was alerted to 19 serious vulnerabilities in its consumer devices thanks to the achievements of the world’s leading hardware hackers at HardPwn USA 2023.
Our bug hunters collectively earned a six-figure sum in bug bounty rewards from Google. The Google Devices VRP pays out up to $10,000 for eligible vulnerabilities, and up to $250,000 for exploit chains leading to code execution.
Hardware hacking lab
HardPwn is a unique public hacking contest because security researchers hack consumer devices at the hardware level with the help of a hardware hacking lab, comprising any equipment they might need to compromise their targets.
Despite the proliferation of connected devices worldwide, bug bounty programs are still overwhelmingly focused on software security. When devices are the targets, the scope invariably focuses on firmware rather than hardware. The logistics of distributing hardware to hackers around the world makes virtual programs impractical, while the niche hacking skills required are in relatively short supply.
HardPwn was launched to plug this gap in defences at the hardware level, including in custom silicon. It provides a place for hardware hackers to converge, collaborate and #HackFearlessly.
At Hardwear.io USA 2023, which took place in Santa Clara, California between 31 May-3 June, world-renowned security researchers physically dismantled Google’s Pixel Watch, Fitbit, Chromecast, Nest Wifi Pro and Nest Cam devices. The goal was to unearth vulnerabilities that imperilled user data or enabled the takeover of devices.
Day by day at HardPwn
HardPwn kicked off in earnest on day two of the four-day competition, with elite researchers Rocco Calvi and Sickcodes teaming up to perform a comprehensive black-box security evaluation on the Chromecast and Nest Wifi Pro. Leveraging their reverse engineering skills, they reported a total of nine vulnerabilities on Android OS and firmware, leading to numerous logic/memory corruption bugs and unauthenticated remote code execution issues.
Day three saw Google’s on-site team almost overwhelmed by the number and variety of bugs they had to validate. Matan Ziv of Cymotive Technologies had a productive day, reporting six potential Fitbit vulnerabilities that could have enabled attackers to take control of the fitness wearable.
The fourth and final day, meanwhile, also saw the most impressive haul of bugs. ‘rqu’, ‘stacksmashing’ and Lennert Wouters compromised encrypted user data in the Nest Wifi Pro, as well as bypassing Chromecast’s secure boot feature and uncovering a kernel-level code execution vulnerability in the streaming device. All of these attacks required physical access to the devices.
Finally, Ashmita Jha and Aiden Quimby managed to get root access on the Pixel Watch, while Marius Muench, a baseband security expert, found a heap out of bounds read in the device’s LTE functionality.
Ankur Chakraborty, Google’s head of programs and operations for the security and privacy of devices and services, hailed the event as a resounding success.
“We wrapped up hardwear.io USA a few weeks ago and I am still very excited by all that came out of this,” he wrote in a LinkedIn post. “Our security research community is one of the pillars for us to make our devices more secure for our users and hardwear.io becomes a time when we learn so much more for them.
“As grateful as I am for all the bugs we discover, I am more grateful for all the feedback we receive on how we can improve our vulnerability rewards program. (Also, we received a record number of vulns!).”
While researchers failed to find hardware-level bugs in the Meta and Parrot targets, firmware was successfully extracted from Meta’s Ray-Ban Stories glasses and Quest 2 VR headset. Time constraints prevented the talented Viasat team from compromising Meta Quest, but we can expect great things from them in the future.