Security researchers hacked the Samsung Galaxy S23 smartphone two more times on the second day of the Pwn2Own 2023 hacking competition in Toronto, Canada.
The contestants also demoed zero-day bugs in printers, routers, smart speakers, surveillance systems, and NAS devices from Canon, Synology, Sonos, TP-Link, QNAP, Wyze, Lexmark, and HP.
Interrupt Labs security researchers were the first to demo a Samsung Galaxy S23 zero-day in an improper input validation attack, while the ToChim team exploited a permissive list of allowed inputs to hack Samsun’s flagship.
Both teams earned $25,000 and 5 Master of Pwn points for their demos as subsequent rounds on the same target.
“While only the first demonstration in a category wins the full cash award, each successful entry claims the full number of Master of Pwn points,” the organizers explain.
“Since the order of attempts is determined by a random draw, those who receive later slots can still claim the Master of Pwn title – even if they earn a lower cash payout.”
On the first day of Pwn2Own Toronto, Pentest Limited and STAR Labs SG team demoed two other zero-days in attacks exploiting improper input validation weakness and a permissive list of allowed inputs.
In all four cases, the device ran the latest version of the Android operating system with all security updates installed, according to the contest rules.
On the second day of Pwn2Own Toronto 2023, Trend Micro’s Zero Day Initiative awarded over $362,500 for over a dozen zero days and multiple bug collisions across various categories. This brings the first two days of Pwn2Own to more than $800,000 in cash prizes.
Over $1 million in cash and prizes
In the Pwn2Own Toronto 2023 hacking event organized by Trend Micro’s Zero Day Initiative (ZDI), participants have the opportunity to target a wide range of devices, including mobile phones such as the Apple iPhone 14, Google Pixel 7, Samsung Galaxy S23, and Xiaomi 13 Pro.
Printers, wireless routers, network-attached storage (NAS) devices, home automation hubs, surveillance systems, smart speakers, and Google’s Pixel Watch and Chromecast devices are also on the list, all up-to-date and in their default configurations.
The event offers substantial rewards for zero-day vulnerabilities in mobile phones, with prizes reaching up to $300,000 for hacking the iPhone 14 and $250,000 for the Pixel 7. In all, contestants can win over $1,000,000 in cash prizes throughout the competition.
Notably, successful exploitation of Google and Apple devices also earns a $50,000 bonus if exploit payloads execute with kernel-level privilege. This brings the potential award for a single challenge to a maximum of $350,000 for a full exploit chain with kernel-level access targeting the Apple iPhone 14 (however, no attempts to hack Apple’s iPhone are scheduled).
Detailed information on the competition schedule can be found on the contest’s official website. The results for each challenge, including those from Pwn2Own Toronto 2023’s first day, are available on this page.
On the third day of the contest, the Samsung Galaxy S23 will once again be targeted by Team Orca of Sea Security.
At the Pwn2Own Vancouver 2023 competition held in March, contestants were awarded $1,035,000 in cash prizes and a Tesla Model 3 car for 27 zero-day vulnerabilities and several bug collisions.