Korean chap finds flaws in moments, scores $100k apiece for fun
Power of Community If Jung Hoon Lee is not the world’s best hacker, he can’t be far from the top of the dais: the 22 year-old South Korean better known as Lokihardt has an uncanny knack for finding zero-day exploits in the world’s most popular and most secure systems.
Lee is a fixture at global hacking competitions like Pwn2Own and PwnFest where he and rival vulnerability testers find and exploit zero day flaws in systems ranging Google Chrome, to Apple Safari, to Windows 10.
Each new hack Lee cooks up for the regular contests earns him more than US$100,000 from sponsoring technology companies and he often drops two to three zero days at each competition.
He usually develops his exploits in the weeks before a contest and them demos them live. He needs to be good: winning means exploits need to work against the newest fully-patched browsers, operating systems, and phones, without any user interaction, and do their worst within less than a few minutes. Most take mere seconds.
The demure hacker, who spoke to The Register at the Power of Community security conference in Seoul, does not want to showcase his contest winnings, but he is sure to have earned millions of dollars.
“I don’t have a job,” Lee says laughing. “I worked for Samsung for a little while, but not anymore.”
Lee’s success is one a cadre of young highly talented hackers around the world are discovering thanks to the boom in lucrative hacking contests and private bounty bounties.
He earnt almost US$300,000 at the PwnFest hacking competition here in Seoul for two zero day vulnerabilities in Microsoft Edge and VMWare Workstation, the first time the latter application has ever been compromised.
Lee’s breach of the latest version of Redmond’s Edge showcased just how good a hacker he is. After drawing the short straw and competing to hack the browser after Qihoo 360’s Vulcan PC-hacking team, Lee had by coincidence used the same zero day exploit as his rivals.
This disqualified the hacker from earning the US$140,000 prize, or it would have, had he not right then and there found and used a new zero day exploit. He discovered it by deleting a single line of code from a Microsoft patch.
Jung Hoon Lee (left) hacking Windows Edge in Seoul. Image: Darren Pauli / The Register.
Hackers laugh and shake their heads when this reporter talks of the stunt.
He has earnt the respect of rivals of the likes of China’s Qihoo 360, Tencent, and Baidu, and talented hackers like Pinkie Pie, GeoHolt, and MWR Labs from the UK, the US, and across Russia and Europe.
Lee began looking for bugs as an 18 year-old in 2012, rising to breach the world’s best platforms in the ensuing four years.
But despite breaking systems built by billion-dollar companies, Lee praises their state of security.
“A lot of these vendors try hard to improve their security,” Lee says. “Microsoft is putting in a lot of effort to add new mitigations that make it harder to exploit even if you find bugs.”
He says Google is doing excellent work developing Chrome’s sandbox which takes the wind out of many memory corruption and other vulnerabilities.
Which platforms are failing?
“Flash, of course,” Lee says giggling.
Yet for a man who appears to have the ability to hack anything, Lee is not a security spook.
He uses a Mac and an iPhone, not out of opinion that those platforms are more secure, but because of design and form factor. “I don’t have preference for how secure something is, or how easy it is to hack it, I just like OS X.”
“But”, he says, “sometimes I worry I’ve been hacked.” ®
Sponsored: Customer Identity and Access Management