They say you don’t notice something good until it’s gone. With China’s decision to restrict its information security researchers from participating in global hacking competitions, we’re about to see what that looks like on the global “zero day” stage.
For over a decade Pwn2Own — happening this week — has brought together security talent from across the globe in a friendly hacking competition that is a cornerstone of research and advancement on par with Black Hat and Def Con.
China’s hackers routinely win, sweeping the board — notably, the Tencent and Keen teams. Pwn2Own is good-natured, and all in the name of researchers finding big bugs, nabbing great bounties and drawing attention to security holes and zero-days that need to be fixed.
But this year, according to Pwn2Own manager Brian Gorenc, China is no longer allowing its researchers to compete. Prior to the start of Pwn2Own this week, Gorenc told press “There have been regulatory changes in some countries that no longer allow participation in global exploit contests, such as Pwn2Own and Capture the Flag competitions.”
One thing’s for certain: yearly champions Tencent’s Keen Labs and Qihoo 360’s 360Vulcan team are nowhere to be found and Trend Micro, the conference organizer, has confirmed to Engadget that there are no Chinese competitors in this year’s competition.
Stuck behind the Great Firewall
A spokesperson from Trend Micro told us via email, “If regulatory changes do prevent certain countries from participating, we would expect it to be across many events and not just Pwn2Own. These regulatory changes likely apply to other types of competitions.”
It’s a worrying development in the direction of isolationism and away from the benefits of competition in the spirit of improving security for all. It comes at a time when relations between the US and China strain under the weight of Huawei security concerns, which are not at all new, but are certainly coming to a head as American companies sever business ties with the firm.
It definitely puts all eyes on Def Con, which is having its first Chinese conference in early May. When reached for comment, the organization was still observing these developments.
The wider infosec community was just plain disappointed. Microsoft Edge Security hacker Jonathan Norman said in a tweet that the decision to keep China’s hackers out of Pwn2Own was “depressing” because he “Worked really hard preparing for this year and wanted to see the results.” Others said it just wasn’t going to be the same without Keen participating, and they’re not wrong.
One could argue that Pwn2Own makes everyone more secure. It’s a contest that lights a fire under fat boys like Microsoft, Google, Apple, VMware, Mozilla and others, who routinely release big security patches immediately before the event. In addition, those behind Pwn2Own note that “There have been instances of teams filing bug reports with vendors prior to the contest in the hopes of killing competitor’s exploits.”
Pwn2Own was formed by Trend Micro’s Zero Day Initiative, an organization to “encourage the reporting of zero day vulnerabilities responsibly to the affected vendors.” They wrote in a blog post on Pwn2Own’s tenth anniversary:
Would movement towards more secure software like this happen without Pwn2Own? Possibly, but Pwn2Own serves as an annual forcing function for vendors. It’s an annual assessment of the state of security as we pit the best vendors have to offer against some of the best security researchers in the world.
A special edition of “Hoarders”
It appears that China’s government wants to keep vuln discoveries by its citizens within its borders, a sentiment expressed by the country’s top executives as well. Leading Chinese security company Qihoo 360’s CEO Zhou Hongyi is a vocal opponent of Chinese teams going abroad to compete in events like Pwn2Own.
In last year’s competition the top five winners were from China, with three of them hailing from Tencent. In reaction, Hongyi told Sina Technology that any vuln discoveries by Chinese researchers “should remain in China.” This suggests that while China’s hacking teams love to compete and skill-share, the country’s executives and managers are wont to hoard zero days and bugs.
For something like Pwn2Own, there are many bugs — and cash prizes — to be had. Last year, for the event’s ten-year anniversary, the Zero Day Initiative awarded $833,000 to white hat hackers, exposing 51 different zero-day bugs. Most were found by Chinese researchers. China’s researchers emerged as a force to reckon with at the 2013 Mobile Pwn2Own contest in Japan and Tencent’s Keen team hacked and remotely controlled Tesla cars, giving a presentation and demonstration of the hacks at Black Hat USA 2017.
Chinese teams have a solid track record at Pwn2Own, but their work at the 2016 contest is possibly the best example of how the global competition contributes to better security for everyone.
In 2016, Tencent’s rival Qihoo 360 walked away with $520,000 in prize money from sister event PwnFest; thanks to them the security of Google’s then-new Pixel phone was gone in 60 seconds by hackers from Qihoo 360. The same year, the Nexus 6p was hacked in under five minutes at Moblie Pwn2Own by the Tencent “Keen team” white hat hacking group.
“Google said the Chrome bug that Keen Team found was patched within 24 hours of the event and the changes have already been released into the stable branch by the Chrome team,” wrote The Register.
Divided we falter
Taking Chinese teams out of global hacking competitions may seem like a detail only noticed in the niche-est of security research chatter. Who cares if the guys making all the big strides in pushing the boundaries of big-name security get held back? Let’s give everyone else a chance, right?
If only it worked that way. One country’s decision to hoard its talent and their zero days shows us just how social security really is. It’s a group effort. Let’s set aside for the moment that taking one country’s teams off the playing field goes against the larger idea of Pwn2Own’s effectiveness. With everyone attacking the big companies under race-condition terms, everyone benefits.
Without groups like Keen Labs or 360Vulcan, we glimpse a future security landscape, one going backwards, into secular infosec practices, nationalism, and vuln hoarding. It’s a sick feeling, like watching the United States succumbing to separationism on the global stage, or the UK willfully cutting off its own oxygen with Brexit. It reminds us that a lot of the good parts of infosec, the conferences where other cultures mingle, are becoming a thing of the past.
China pulling researchers out of conferences so soldiers can create better weapons for an invisible arms race perfectly captures everything that makes us despair about both the state of infosec and the state of global politics — and all its brutish anti-intellectualism, its ignorance of what works over what’s more isolating. I just hope that somehow, eventually, we can right this ship and move forward, toward the security we’ve all been working for.