Safety researchers hacked the Samsung Galaxy S23 twice in the course of the first day of the consumer-focused Pwn2Own 2023 hacking contest in Toronto, Canada.
In addition they demoed exploits and vulnerability chains focusing on zero-days in Xiaomi’s 13 Professional smartphone, in addition to printers, good audio system, Community Connected Storage (NAS) gadgets, and surveillance cameras from Western Digital, QNAP, Synology, Canon, Lexmark, and Sonos.
Pentest Restricted was the primary to demo a zero-day on Samsung’s flagship Galaxy S23 system by exploiting improper enter validation weak point to achieve code execution, incomes $50,000 and 5 Grasp of Pwn factors.
The STAR Labs SG crew additionally exploited a permissive checklist of allowed inputs to hack a Samsung Galaxy S23, incomes $25,000 (half prize for the second spherical of focusing on the identical system) and 5 Grasp of Pwn factors.
“Whereas solely the primary demonstration in a class wins the total money award, every profitable entry claims the total variety of Grasp of Pwn factors,” the organizers clarify.
“For the reason that order of makes an attempt is set by a random draw, those that obtain later slots can nonetheless declare the Grasp of Pwn title – even when they earn a decrease money payout.”
In line with the Pwn2Own Toronto 2023 contest guidelines, all focused gadgets run the newest working system variations with all safety updates put in.
ZDI awarded $438,750 in the course of the first day of the competition for 23 efficiently demoed zero-day vulnerabilities.
Greater than $1 million in money and prizes
Throughout the Pwn2Own Toronto 2023 hacking occasion organized by Development Micro’s Zero Day Initiative (ZDI), opponents can goal cell and IoT gadgets.
The entire checklist contains cell phones (i.e., the Apple iPhone 14, Google Pixel 7, Samsung Galaxy S23, and Xiaomi 13 Professional), printers, wi-fi routers, network-attached storage (NAS) gadgets, residence automation hubs, surveillance methods, good audio system, and Google’s Pixel Watch and Chromecast gadgets, all of their default configuration and operating the newest safety updates.
The best rewards are for zero-day bugs within the cell phone class, with money prizes of as much as $300,000 for hacking the iPhone 14 and $250,000 for the Pixel 7, with greater than $1,000,000 in money accessible for contestants.
Efficiently exploiting Google and Apple gadgets additionally gives $50,000 bonuses if the exploit payloads execute with kernel-level privilege, bringing the utmost doable award for a single problem to a complete of $350,000 for a full exploit chain with kernel-level entry focusing on the Apple iPhone 14.
You could find the whole schedule of the competitors contest right here. The complete schedule for Pwn2Own Toronto 2023’s first day and the outcomes for every problem are listed right here.
On the second day of the competition, the Samsung Galaxy S23 will once more be examined by safety researcher Le Xich Lengthy and hackers at vulnerability analysis agency Interrupt Labs.
In March, throughout the Pwn2Own Vancouver 2023 competitors, researchers had been awarded $1,035,000 and a Tesla Mannequin 3 automobile for exploiting 27 zero-day (and several other bug collisions) between March 22 and 24.
