A secure boot bypass in Chromecast with the Google TV (CCwGTV)'s 1080p revision. This bypass sort of involves two issues, a hardware fault injection and a software logical bug, and this is due to mitigations and efforts Google has made since the exploit chain that was released against the 4K model previously.
An exploit chain that targets Samsung's TEEgris OS running in the ARM TrustZone secure world.TEEgris consists of a secure kernel and trustlets that run on the userspace side, which Android in the non-secure world can communicate with via Secure Monitor Calls (SMCs)...
A long, fairly beginner friendly post about attacking a Bluetooth lock, there is a lot of process information here as it was an intern's research project. What the vulnerability comes down to though is a lack of any real authoization checking instead only validating the integrity (poorly!) of the request and trusting the app did all the heavy lifting.
A trivial out of bounds access in the iPod nano 3rd-5th generation's USB stack in the bootROM.The `USB::HandlePendingSetup()` handler for SETUP packets would accept a request and dispatch it to different sub-handlers based on the `bmRequestType`...
A total of either issues impacting various companies in the automotive industry, mix of issues from simple SQL injection to some interesting Single Sign On (SSO) implementation decisions.
A couple command injection bugs on the NetGear RAX30 router, straight forward IoT bugs.
Two vulns in Netgear RAX30 routers that were patched 2 days before the Pwn2Own draw. One was a LAN bug, the other a WAN issue.
A timing-based side-channel in the `CHECK_DATA` Device Configuration Data could allow the value of memory to be disclosed and read even when reading was disabled.
The RH850 is an automotive MCU which features SecureOnboard Communication or SecOC, which includes read protections to prevent the ability to dump the ROM over serial.After reversing the protocol with a logic analyzer, they discovered the authentication was only gated on the sync command (which is required before any other commands are acknowledged)...
A post by NCCGroup which covers an older vulnerability in NXP .iMX High Assurance Boot (HAB). A bit of background is helpful for understanding the bug and it's impact.