WhatsApp Hacker Challenge Could Net You A Cool $1 Million
The large dollar amount will be awarded to anyone who can craft a zero-click remote code execution exploit for WhatsApp, meaning it must work across a network, require no user action, and allow for executing any code on the target phone. That's quite the tall order, but then again so is the prize that ZDI succinctly describes as "a number with two commas."
Even if you can't quite reach that lofty goal, there's $500,000 on hand for a similar exploit that requires a click from a user, possibly in a malicious link. A number of prizes hovering from $50,000 to $150,000 are available for remote access to user data or accounts as well. WhatsApp may not be much more than the name of some messaging app in the United States, but it's the de facto standard across Europe, South America, and Africa, making it one of the juiciest targets you can exploit in mobile computing right now.
While on that topic, there are also quite significant prizes for phone exploits: $300,000 for remote exploits on iPhone 16 or Pixel 9 handsets, and $50,000 for the Galaxy S25. The ZDI added a new category this year, too: USB exploits, something we feel is important to research as this has historically been an attack vector in airports and other public charging stations. Indeed, USB connection attacks have been getting ever-craftier, as some of them use keyboard/mouse emulation to automatically tap the dialog that enables phone data access instead of just charging.
Meta's cash war chest has the company also laying down the gauntlet in the wearables category, where the company is offering from $30,000 on up to $150,000 for attacks on its Quest 3/3S headsets and Ray-Ban Smart Glasses. The competition once again counts Synology and QNAP as co-sponsors, with the two companies now joining forces in the NAS category with $40,000 available for hackers who can get into NAS stations, and there's also $30,000 up for grabs in exchange for exploits against camera surveillance systems.
The ever-increasing proliferation of home assistant and IoT devices means the SOHO Smash and Smart Home Devices categories return with updated devices ranging from small NAS boxes, routers, and cameras, to even innocuous-looking devices like smart plugs, bulbs, and speakers. It's safe to say that no IT professional or power user likes printers, and the Rage Against The Printers category covers that with $20,000 prizes for exploits on each of the four available printers from various vendors.
Even if you're not a security researcher, the prize pool and categories are of interest for the general populace, as it's much preferable to have well-paid security researchers digging into vulnerabilities than malicious actors. This year's Pwn2Own competition happens in Cork, Ireland from October 21st thru the 24th. If you're interested in competing, check the ZDI blog post for rules and registration details.
