Safety researchers hacked the Samsung Galaxy S23 twice in the course of the first day of the consumer-focused Pwn2Own 2023 hacking contest in Toronto, Canada.
Additionally they demoed exploits and vulnerability chains concentrating on zero-days in Xiaomi’s 13 Professional smartphone, in addition to printers, sensible audio system, Community Hooked up Storage (NAS) units, and surveillance cameras from Western Digital, QNAP, Synology, Canon, Lexmark, and Sonos.
Pentest Restricted was the primary to demo a zero-day on Samsung’s flagship Galaxy S23 system by exploiting improper enter validation weak spot to realize code execution, incomes $50,000 and 5 Grasp of Pwn factors.
The STAR Labs SG group additionally exploited a permissive record of allowed inputs to hack a Samsung Galaxy S23, incomes $25,000 (half prize for the second spherical of concentrating on the identical system) and 5 Grasp of Pwn factors.
“Whereas solely the primary demonstration in a class wins the complete money award, every profitable entry claims the complete variety of Grasp of Pwn factors,” the organizers clarify.
“For the reason that order of makes an attempt is decided by a random draw, those that obtain later slots can nonetheless declare the Grasp of Pwn title – even when they earn a decrease money payout.”
Based on the Pwn2Own Toronto 2023 contest guidelines, all focused units run the most recent working system variations with all safety updates put in.
ZDI awarded $438,750 in the course of the first day of the competition for 23 efficiently demoed zero-day vulnerabilities.
Greater than $1 million in money and prizes
Through the Pwn2Own Toronto 2023 hacking occasion organized by Development Micro’s Zero Day Initiative (ZDI), opponents can goal cell and IoT units.
The whole record contains cellphones (i.e., the Apple iPhone 14, Google Pixel 7, Samsung Galaxy S23, and Xiaomi 13 Professional), printers, wi-fi routers, network-attached storage (NAS) units, residence automation hubs, surveillance methods, sensible audio system, and Google’s Pixel Watch and Chromecast units, all of their default configuration and working the most recent safety updates.
The best rewards are for zero-day bugs within the cell phone class, with money prizes of as much as $300,000 for hacking the iPhone 14 and $250,000 for the Pixel 7, with greater than $1,000,000 in money obtainable for contestants.
Efficiently exploiting Google and Apple units additionally offers $50,000 bonuses if the exploit payloads execute with kernel-level privilege, bringing the utmost potential award for a single problem to a complete of $350,000 for a full exploit chain with kernel-level entry concentrating on the Apple iPhone 14.
You’ll find the entire schedule of the competitors contest right here. The complete schedule for Pwn2Own Toronto 2023’s first day and the outcomes for every problem are listed right here.
On the second day of the competition, the Samsung Galaxy S23 will once more be examined by safety researcher Le Xich Lengthy and hackers at vulnerability analysis agency Interrupt Labs.
In March, throughout the Pwn2Own Vancouver 2023 competitors, researchers have been awarded $1,035,000 and a Tesla Mannequin 3 automobile for exploiting 27 zero-day (and a number of other bug collisions) between March 22 and 24.
