Samsung Galaxy S23: Breached Twice on Pwn2Own’s First Day!
Pwn2Own, sponsored by ZDI, stands as one of the world’s most renowned and lucrative hacking competitions. Each edition targets contemporary, widely-used devices, offering substantial monetary rewards to contestants who can successfully compromise them. This not only serves as a testament to their elite cybersecurity prowess but also aids manufacturers by reporting product vulnerabilities and assisting them in implementing necessary fixes.
On the competition’s inaugural day, security researchers successfully breached the Samsung Galaxy S23 phone twice. Moreover, participants showcased zero-day vulnerabilities and exploit chains targeting renowned products such as the Xiaomi 13 Pro smartphone, Western Digital, QNAP, Synology, Canon, Lexmark, and Sonos.
Success! Pentest Limited was able to execute an Improper Input Validation against the Samsung Galaxy S23. They earn $50,000 and 5 Master of Pwn points. #Pwn2Own pic.twitter.com/VaLc1mnhiH
— Zero Day Initiative (@thezdi) October 24, 2023
Among those challenging the Samsung Galaxy S23, the team from Pentest Limited triumphed first by exploiting an input validation flaw, earning them a prize of $50,000 and five Pwn Master points. Following them, the STAR Labs SG team secured a reward of $25,000 and an identical five Pwn Master points. According to the organizers, only the first demonstration in a category garners the full prize, with subsequent ones halved, though Pwn Master points remain unaffected.
The competition’s array of targets encompassed smartphones (like the Apple iPhone 14, Google Pixel 7, Samsung Galaxy S23, and Xiaomi 13 Pro), printers, wireless routers, Network Attached Storage (NAS) devices, home automation hubs, surveillance systems, smart speakers, along with Google’s Pixel watch and Chromecast device. As per the Pwn2Own Toronto 2023 rules, all target devices operated on their latest OS versions, fortified with all available security patches.
On the competition’s first day, ZDI awarded a total of $438,750 to recognize the successful demonstration of 23 zero-day vulnerabilities.
