Hackers earn over $1 million for 58 zero-days at Pwn2Own Toronto

Trending 1 month ago


The Pwn2Own Toronto 2023 hacking title has ended pinch information researchers earning $1,038,500 for 58 zero-day exploits (and aggregate bug collisions) targeting user products betwixt October 24 and October 27.

During the Pwn2Own Toronto 2023 hacking arena organized by Trend Micro's Zero Day Initiative (ZDI), information researchers targeted mobile and IoT devices.

The complete database includes mobile phones (i.e., nan Apple iPhone 14, Google Pixel 7, Samsung Galaxy S23, and Xiaomi 13 Pro), printers, wireless routers, network-attached retention (NAS) devices, location automation hubs, surveillance systems, smart speakers, and Google's Pixel Watch and Chromecast devices, each successful their default configuration and moving nan latest information updates.

While nary squad signed up to hack nan Apple iPhone 14 and Google Pixel 7 smartphones, nan contestants hacked a afloat patched Samsung Galaxy S23 4 times.

The Pentest Limited squad was nan first to demo a zero-day in Samsung Galaxy S23, exploiting improper input validation weakness to summation codification execution, earning $50,000 and 5 Master of Pwn points.

The STAR Labs SG squad also exploited a permissive database of allowed inputs to hack Samsung's flagship on nan first day, earning $25,000 (half prize for nan 2nd information of targeting nan aforesaid device) and 5 Master of Pwn points.

Security researchers pinch Interrupt Labs and nan ToChim squad besides hacked nan Galaxy S22 on nan 2nd day of nan title by exploiting a permissive database of allowed inputs and different improper input validation weakness.

Pwn2Own Toronto 2023 leaderboardPwn2Own Toronto 2023 last leaderboard (ZDI)

​Team Viettel won nan competition, earning $180,000 and 30 Master of Pwn points. They are followed connected nan leaderboard by Team Orca of Sea Security pinch $116,250 (17.25 points) and DEVCORE Intern and Interrupt Labs (each pinch $50,000 and 10 points).

The information researchers person successfully demoed exploits targeting 58 zero-days successful devices from aggregate vendors, including Xiaomi, Western Digital, Synology, Canon, Lexmark, Sonos, TP-Link, QNAP, Wyze, Lexmark, and HP.

You tin find nan complete schedule of nan title contest here. The afloat schedule for Pwn2Own Toronto 2023's first time and nan results for each situation are listed here.

Once zero-day vulnerabilities exploited during nan Pwn2Own arena are reported, vendors person 120 days to merchandise patches earlier ZDI publically discloses them.

In March, during the Pwn2Own Vancouver 2023 competition, competitors won $1,035,000 and a Tesla Model 3 car for 27 zero-day (and respective bug collisions).