Traditional competition between legal hackersThe Tianfu Cup, held in China, is analogous to the international competition in the field of information security Pwn2Own. Tianfu Cup events have been held since 2018, after the ban imposed by the Chinese authorities on the participation of national cybersecurity specialists in international competitions of "white" hackers. In the current 2020, the prize pool for the Tianfu Cup was $ 1 210 000.
Legal Chinese hacker competition rules,are in many ways similar to the conditions of the Pwn2Own contests: information security experts must quickly identify previously undetected vulnerabilities and "hack" a given application or gadget. According to the rules of the competition, each team had 3 attempts to complete the set goal, each lasting 5 minutes.
Various brands have been researched includingproducts from tech giants Apple, Samsung, ASUS, TP-Link, and technology groups such as Mozilla and Ubuntu. With the total number of participating teams up to 15, only 8 of them managed to receive awards, with the Qihoo 360 team earning the most, having already become the winner of the previous Tianfu Cup competitions. According to the organizers of the competition, out of the set 16 goals, 11 were successfully solved and 23 presentations were held.
Participants successfully tested their exploits on the following software and devices:
• iOS 14 installed on iPhone 11 Pro, it took 10 seconds to jailbreak
• Samsung Galaxy S20
• Windows 10 2004 (build April 2020)
• Adobe PDF Reader
• Docker (Community Edition)
• VMWare EXSi (hypervisor)
• QEMU (emulator and virtualizer)
• Firmware for TP-Link and ASUS routers
The teams that managed to jailbreak iOS 14 on iPhone 11Pro received prizes totaling $ 180,000. In the overall standings, the Qihoo 360 team won, winning $ 744.5 thousand (61.5%). The Ant-Financial Light-Year Security team came in second with $ 258,000 (21.3%), and Pang, a private information security specialist, came in third with $ 99,500 (8.2%).
According to the rules of the competition, information about all the vulnerabilities identified during the competition has already been transferred to representatives of Samsung, Google, Apple and others.