Cybersecurity company Claroty’s research team, Team82, uncovered two critical vulnerabilities at the Pwn2OWN Toronto 2022 hacking competition, which could impact a range of connected Internet of Things devices. Specifically, Team82 detected the vulnerabilities in Synology DiskStation DS920+ and NETGEAR RAX30 AX2400. Below, Sharon Brizinov, director of security research at Claroty, shares more about her team’s findings.

24×7: Was this Team82’s first time attending Pwn2OWN? If so, what made you want to attend?

Sharon Brizinov: Team82 has competed in several Pwn2Own contests, including Pwn2Own Miami, which features industrial control systems and operational technology equipment. We enjoy the challenge of competing in Pwn2Own against the best researchers and hackers in the world and sharing our good work with the industry. It’s important to find these vulnerabilities and get them fixed in order to improve the technology ecosystem for all. 

24×7: Can you discuss Team82’s discovery of these vulnerabilities?

Brizinov: In the contest, we focused on network-attached storage devices and routers. A successful exploit of vulnerabilities in these types of devices can allow a hacker deeper access to the corporate network and expose organizations to ransomware, other types of malware, and data loss. It’s important that organizations understand that even these benign devices can be attacked by hackers and cause serious damage. 

24×7: What are the immediate next steps after a discovery like this one?

Brizinov: The affected vendors are usually on-site at Pwn2Own contests, and we must privately disclose our findings to them in order to get them patched in a timely manner. No details can be made public beforehand in order to not put users of the particular product at risk to attack while it’s being patched. Kudos to Synology, which quickly turned around a fix for a chain of vulnerabilities we used to exploit its NAS device. 

24×7: What devices are impacted?

Brizinov: We targeted Synology’s DiskStation DS920+ and Western Digital’s WD My Cloud Pro Series PR4100 in the network-attached storage category, and the LAN interface of the NETGEAR RAX30 AX2400 router. 

24×7: How severe and widespread are these vulnerabilities?

Brizinov: A hacker who can gain access to one of these devices, such as the network-attached storage gear, may be able to access any sensitive data that is stored on it, such as financial information or personal documents. They may also be able to use the device to launch attacks on other devices on the same network, potentially compromising the security of the entire network. In addition, a hacker who can take control of the device may be able to use it to distribute malware or engage in other malicious activities.

24×7: Whose responsibility is it to patch these devices and how are affected vendors addressing the issue?

Brizinov: Private disclosures of the details of each of the vulnerabilities are made to all the affected vendors. It’s up to the vendors to patch their products and inform customers. Research groups like Team82 work closely with the affected vendors on coordinated disclosures and are happy to test patches once available and confirm a vulnerability is fully remediated. 

24×7: What recognition does Team82 receive for uncovering these flaws?

Brizinov: Pwn2Own pays out cash prizes to winning teams and crowns an overall winner of the competition.