2018 Pwnie Awards: Who Pwned, Who Got Pwned
A team of security experts round up the best and worst of the year in cybersecurity at Black Hat 2018.
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blte732618c60ee71ec/64f0d5e35f011167510361bd/Pwnies2018Pwnies.jpg?width=700&auto=webp&quality=80&disable=upscale)
The Pwnie awards, which take place at the annual Black Hat conference in Las Vegas each summer, acknowledge the achievements and failures of cybersecurity researchers and the infosec community as a whole.
Security pros started submitting nominations in June 2018 for bugs disclosed over the past year. Nominees were posted in August and winners were determined by a panel of security researchers, or "the closest to a jury of peers a hacker is likely to ever get," its website quips.
Pwnie categories range from "Best Privilege Escalation Bug" to "Most Overhyped Bug" to "Lamest Vendor Response." A Lifetime Achievement award recognizes a member of the security community who stands out for research and contributions to the industry.
This year's informal awards ceremony, hosted by a panel of respected (and hilarious) security experts, was packed with attendees and laughs as they presented Pwnies for the best and worst in security. Some lucky award recipients were in the audience; others (John McAfee, for example) weren't.
"We believe this is the best antidote to any creeping cynicism we have in our community," joked Justine Bone, CEO of MedSec and one of the Pwnie panelists.
Read on to learn more about who won, who lost, and who pwned at this year's show.
Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early bird rate ends August 31. Click for more info.
The Pwnie for discovering and exploiting the most technically advanced and interesting client-side bug went to Rob Miller and G. Geshev for "The 12 Logic Bug Gifts of Christmas."
In a report "Chainspotting: Building Exploit Chains with Logic Bugs," The researchers detail how they used a chain of 11 bugs across 6 unique applications including components from Samsung, Chrome, and the Android Open Source Project. The bugs made up the longest exploit chain in Pwn2Own history. The duo threw in a remote DoS bug in their chain to bring their count up to 12.
Both researchers work with MWR Infosecurity, which was acquired by F-Secure earlier this year. The companies have a tradition of taking their trophies for trips around town, and so they brought this award around Helsinki before heading home to the UK. This is their Pwnie in front of the Tuomikirkko Cathedral.
Also nominated: SOAP Dropper, CVE-2017-11882, DynoRoot!!!1111 (CVE-2018-1111), CVE-2017-5116, and A Bug Has No Name (CVE-2017-11779).
This Pwnie goes to the pros who discovered or exploired the most technically sophisticated and interesting privilege escalation flaw, which can include local operating system privilege escalations, OS sandbox escapes, and virtual machine guest breakout vulnerabilities.
Meltdown and Spectre, or "this bug that involved pouring lava on a computer and viewing it through a monocle," took the Pwnie, with credit attributed to Moritz Lipp, Michael Schwarz, Daniel Gruss, Thomas Prescher, Werner Haas, Stefan Mangard, Paul Kocher, Daniel Genkin, Yuval Yarom, Mike Hamburg, Jann Horn, and Anders Fogh.
It's likely little surprise to see Meltdown and Spectre nominated for Privilege Escalation Bug. The critical processor vulnerabilities marked a terrible start to 2018, changed the game for vulnerability disclosure, and represented a new class of threat that demands more effective security practices. Industry experts worry we'll continue seeing the effects for years to come.
Also nominated: waitid (CVE-2017-14954, CVE-2017-5123), RAMPAGE, backboardd Double free(), Holey Beep
Spectre/Meltdown took its second Pwnie for Most Innovative Research, with credit going to the same team for publishing the most interesting and innovative research in the form of a presentation, paper, tool, or even a mailing list post, as detailed on the Pwnie site.
The discovery of Meltdown and Spectre likely scratches the surface of microprocessor vulnerabilities out there, experts predict. There appears to be lots of space for more problems like this, and researchers will continue hunting for them. Several variants of Spectre have been discovered since the bug was first found earlier this year.
Also nominated: Throwhammer, Smashing-Smart-Contracts, TLBleed, GrandPwningUnit/GLitch.
This Pwnie goes to the person who discovered a bug that generated the most hype online and in the media, with extra points for bugs that were ultimately impossible to exploit in practice. Holey Beep (CVE-2018-0492) took home the Pwnie, with credit to 0day.marketing.
Privilege escalation bug Holey Beep only affects 1.86% of all Internet users but it does have its own webpage, which the Pwnies deem "an attack against branded vulnerabilities" and "way funnier than Pwnie award writeups."
Also nominated: Efail (CVE-2017-17689), Meltdown and Spectre (CVE-2017-5715), Zip Slip (CVE-2018-1002204), Zipperdown).
The recipient of this year's Lifetime Achievement Award was Michał Zalewski (@lcamtuf), a Polish security expert, white hat hacker, and former director of security engineering at Google. His book, "Silence on the Wire," was noted by one of the Pwnie judges as one of the best examples of what it means to hack. But it was more than a book that earned Michal this year's zombie-themed Pwnie (pictured) and the standing ovation that closed the award ceremony.
Michal has been "a prolific contributor" to the security community and spent decades offering tools and resources that reflect an approach unique in the field. He developed American Fuzzy Lop (AFL), a security-oriented fuzzer that served as the underlying engine for the DARPA Cyber Grand Challenge Finalists. Michal also creased p0f, a tool that uses passive traffic fingerprinting mechanisms to detect people behind TCP/IP communications.
The recipient of this year's Lifetime Achievement Award was Michał Zalewski (@lcamtuf), a Polish security expert, white hat hacker, and former director of security engineering at Google. His book, "Silence on the Wire," was noted by one of the Pwnie judges as one of the best examples of what it means to hack. But it was more than a book that earned Michal this year's zombie-themed Pwnie (pictured) and the standing ovation that closed the award ceremony.
Michal has been "a prolific contributor" to the security community and spent decades offering tools and resources that reflect an approach unique in the field. He developed American Fuzzy Lop (AFL), a security-oriented fuzzer that served as the underlying engine for the DARPA Cyber Grand Challenge Finalists. Michal also creased p0f, a tool that uses passive traffic fingerprinting mechanisms to detect people behind TCP/IP communications.
The Pwnie awards, which take place at the annual Black Hat conference in Las Vegas each summer, acknowledge the achievements and failures of cybersecurity researchers and the infosec community as a whole.
Security pros started submitting nominations in June 2018 for bugs disclosed over the past year. Nominees were posted in August and winners were determined by a panel of security researchers, or "the closest to a jury of peers a hacker is likely to ever get," its website quips.
Pwnie categories range from "Best Privilege Escalation Bug" to "Most Overhyped Bug" to "Lamest Vendor Response." A Lifetime Achievement award recognizes a member of the security community who stands out for research and contributions to the industry.
This year's informal awards ceremony, hosted by a panel of respected (and hilarious) security experts, was packed with attendees and laughs as they presented Pwnies for the best and worst in security. Some lucky award recipients were in the audience; others (John McAfee, for example) weren't.
"We believe this is the best antidote to any creeping cynicism we have in our community," joked Justine Bone, CEO of MedSec and one of the Pwnie panelists.
Read on to learn more about who won, who lost, and who pwned at this year's show.
Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early bird rate ends August 31. Click for more info.
Read more about:
Black Hat NewsAbout the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024