Samsung Galaxy S23 hacked twice on first day of Pwn2Own Toronto


Security researchers hacked the Samsung Galaxy S23 twice during the first day of the consumer-focused Pwn2Own 2023 hacking contest in Toronto, Canada.

They also demoed exploits and vulnerability chains targeting zero-days in Xiaomi’s 13 Pro smartphone, as well as printers, smart speakers, Network Attached Storage (NAS) devices, and surveillance cameras from Western Digital, QNAP, Synology, Canon, Lexmark, and Sonos.

Pentest Limited was the first to demo a zero-day on Samsung’s flagship Galaxy S23 device by exploiting improper input validation weakness to gain code execution, earning $50,000 and 5 Master of Pwn points.

The STAR Labs SG team also exploited a permissive list of allowed inputs to hack a Samsung Galaxy S23, earning $25,000 (half prize for the second round of targeting the same device) and 5 Master of Pwn points.

“While only the first demonstration in a category wins the full cash award, each successful entry claims the full number of Master of Pwn points,” the organizers explain.

“Since the order of attempts is determined by a random draw, those who receive later slots can still claim the Master of Pwn title – even if they earn a lower cash payout.”

According to the Pwn2Own Toronto 2023 contest rules, all targeted devices run the latest operating system versions with all security updates installed.

ZDI awarded $438,750 during the first day of the contest for 23 successfully demoed zero-day vulnerabilities.

More than $1 million in cash and prizes

During the Pwn2Own Toronto 2023 hacking event organized by Trend Micro’s Zero Day Initiative (ZDI), competitors can target mobile and IoT devices.

The complete list includes mobile phones (i.e., the Apple iPhone 14, Google Pixel 7, Samsung Galaxy S23, and Xiaomi 13 Pro), printers, wireless routers, network-attached storage (NAS) devices, home automation hubs, surveillance systems, smart speakers, and Google’s Pixel Watch and Chromecast devices, all in their default configuration and running the latest security updates.

The highest rewards are for zero-day bugs in the mobile phone category, with cash prizes of up to $300,000 for hacking the iPhone 14 and $250,000 for the Pixel 7, with more than $1,000,000 in cash available for contestants.

Successfully exploiting Google and Apple devices also provides $50,000 bonuses if the exploit payloads execute with kernel-level privilege, bringing the maximum possible award for a single challenge to a total of $350,000 for a full exploit chain with kernel-level access targeting the Apple iPhone 14.

You can find the complete schedule of the competition contest here. The full schedule for Pwn2Own Toronto 2023’s first day and the results for each challenge are listed here.

On the second day of the contest, the Samsung Galaxy S23 will again be tested by security researcher Le Xich Long and hackers at vulnerability research firm Interrupt Labs.

In March, during the Pwn2Own Vancouver 2023 competition, researchers were awarded $1,035,000 and a Tesla Model 3 car for exploiting 27 zero-day (and several bug collisions) between March 22 and 24.





Source link