heise PlusAbo
Anzeige

Pwnie Awards 2025: Documented keys, exploit chains and a SignalGate T-shirt

At the hacker conference, several teams won two pwnie awards for their discoveries. And "SignalGate" creator Mike Waltz also received a T-shirt.

listen Print view
PWNIE lettering

(Image: Pwnie Awards LLC)

2 min. read
iX Magazin
By
  • Lukas Grunwald

At the 33rd Def Con hacker conference, the “Oscars” of IT security were presented with the Pwnie Awards. Matteo Rizzo, Kristoffer Janke, Josh Eads, Tavis Ormandy and Eduardo Vela Nava won twice: in the categories “Best Crypto Bug” and “Best Desktop Bug”. They discovered that AMD had been using the key from the NIST documentation, which is given there as an example, in production for seven years.

Ken Gannon received an award for uncovering the complicated exploit chain used to get a Samsung Galaxy S24 with seven bugs to install custom APKs. The pwnie for the best privilege escalation was won by hackers v4bel and qwerty_po for the Linux Kernel VSOCK Quadruple Race Condition. The security researchers from Qualys also won two pwnies: in the categories “Best RCE” (Remote Code Execution) and “Epic Achievement” for the disclosure of OpenSSH vulnerabilities.

Inwhan Chun, Isabella Siu and Riccardo Paccagnella received the pwnie for “Most Underhyped Research”. The “Scheduled Disclosure” bug they discovered in the power management algorithms of modern Intel processors makes it possible to convert power side-channel attacks into remote timing attacks – more effectively than before and without frequency side-channel leakage.

Videos by heise

The prize for the “Most Innovative” entry went to Angelos Beitis. He found more than four million servers on the Internet that accept old, unauthenticated tunnel traffic such as IPIP, GRE, 6in4 or 4in6. This makes it easy to spoof source IP addresses, carry out denial-of-service attacks and even gain access to internal company networks.

The Pwnie team

(Image: Lukas Grunwald / heise online)

“Signal groups kill troops”

In addition to the awards for security researchers, there are also ironic “awards” for companies and individuals. The negative pwnie “Lamest Vendor Response” went to the Linux kernel developers for the vulnerability “Linux kernel slab OOB write in hfsplus” (CVE-2025-0927). And the “EPIC Fail” pwnie went to Mike Waltz for the US government's SignalGate group chat affair. The pwnie team also presented him with a T-shirt with the motif of a security awareness poster: “Signal groups kill troops.”

Allusion to the SignalGate affair of the US government, which discussed military secrets in front of strangers in a signal group.

(nie)

Don't miss any news – follow us on Facebook, LinkedIn or Mastodon.

This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.

Beliebte Bestenlisten

Alle Angebote
Newsletter heise-Bot heise-Bot Push Nachrichten Push Push-Nachrichten