Security researchers hacked nan Samsung Galaxy S23 smartphone 2 much times connected nan 2nd time of nan Pwn2Own 2023 hacking competition in Toronto, Canada.
The contestants besides demoed zero-day bugs successful printers, routers, smart speakers, surveillance systems, and NAS devices from Canon, Synology, Sonos, TP-Link, QNAP, Wyze, Lexmark, and HP.
Interrupt Labs information researchers were nan first to demo a Samsung Galaxy S23 zero-day successful an improper input validation attack, while nan ToChim squad exploited a permissive database of allowed inputs to hack Samsun's flagship.
Both teams earned $25,000 and 5 Master of Pwn points for their demos arsenic consequent rounds connected nan aforesaid target.
"While only nan first objection successful a class wins nan afloat rate award, each successful introduction claims nan afloat number of Master of Pwn points," nan organizers explain.
"Since nan bid of attempts is wished by a random draw, those who person later slots tin still declare nan Master of Pwn title – moreover if they gain a little rate payout."
On nan first time of Pwn2Own Toronto, Pentest Limited and STAR Labs SG squad demoed 2 different zero-days successful attacks exploiting improper input validation weakness and a permissive database of allowed inputs.
In each 4 cases, nan instrumentality ran nan latest type of nan Android operating strategy pinch each information updates installed, according to nan contest rules.
On nan 2nd time of Pwn2Own Toronto 2023, Trend Micro's Zero Day Initiative awarded $352,500 for complete a twelve zero days and aggregate bug collisions crossed various categories. This brings nan first 2 days of Pwn2Own full to $791,250 awarded for 39 unsocial zero-days.
Over $1 cardinal successful rate and prizes
In nan Pwn2Own Toronto 2023 hacking arena organized by Trend Micro's Zero Day Initiative (ZDI), participants person nan opportunity to target a wide scope of devices, including mobile phones specified arsenic nan Apple iPhone 14, Google Pixel 7, Samsung Galaxy S23, and Xiaomi 13 Pro.
Printers, wireless routers, network-attached retention (NAS) devices, location automation hubs, surveillance systems, smart speakers, and Google's Pixel Watch and Chromecast devices are besides connected nan list, each up-to-date and successful their default configurations.
The arena offers important rewards for zero-day vulnerabilities successful mobile phones, pinch prizes reaching up to $300,000 for hacking nan iPhone 14 and $250,000 for nan Pixel 7. In all, contestants tin triumph complete $1,000,000 successful rate prizes passim nan competition.
Notably, successful exploitation of Google and Apple devices besides earns a $50,000 prize if utilization payloads execute pinch kernel-level privilege. This brings nan imaginable grant for a azygous situation to a maximum of $350,000 for a afloat utilization concatenation pinch kernel-level entree targeting nan Apple iPhone 14 (however, nary attempts to hack Apple's iPhone are scheduled).
Detailed accusation connected nan title schedule tin beryllium recovered connected nan contest's official website. The results for each challenge, including those from Pwn2Own Toronto 2023's first day, are disposable on this page.
On nan 3rd time of nan contest, nan Samsung Galaxy S23 will erstwhile again targeted by Team Orca of Sea Security.
At nan Pwn2Own Vancouver 2023 title held successful March, contestants were awarded $1,035,000 successful rate prizes and a Tesla Model 3 car for 27 zero-day vulnerabilities and respective bug collisions.