The Pwn2Own Toronto 2023 hacking competitors has ended with safety researchers incomes $1,038,500 for 58 zero-day exploits (and a number of bug collisions) concentrating on client merchandise between October 24 and October 27.
Throughout the Pwn2Own Toronto 2023 hacking occasion organized by Pattern Micro’s Zero Day Initiative (ZDI), safety researchers focused cellular and IoT units.
The whole listing consists of cellphones (i.e., the Apple iPhone 14, Google Pixel 7, Samsung Galaxy S23, and Xiaomi 13 Professional), printers, wi-fi routers, network-attached storage (NAS) units, dwelling automation hubs, surveillance techniques, sensible audio system, and Google’s Pixel Watch and Chromecast units, all of their default configuration and operating the most recent safety updates.
Whereas no workforce signed as much as hack the Apple iPhone 14 and Google Pixel 7 smartphones, the contestants hacked a completely patched Samsung Galaxy S23 4 occasions.
The Pentest Restricted workforce was the primary to demo a zero-day in Samsung Galaxy S23, exploiting improper enter validation weak point to realize code execution, incomes $50,000 and 5 Grasp of Pwn factors.
The STAR Labs SG workforce additionally exploited a permissive listing of allowed inputs to hack Samsung’s flagship on the primary day, incomes $25,000 (half prize for the second spherical of concentrating on the identical system) and 5 Grasp of Pwn factors.
Safety researchers with Interrupt Labs and the ToChim workforce additionally hacked the Galaxy S22 on the second day of the competitors by exploiting a permissive listing of allowed inputs and one other improper enter validation weak point.
Staff Viettel received the competitors, incomes $180,000 and 30 Grasp of Pwn factors. They’re adopted on the leaderboard by Staff Orca of Sea Safety with $116,250 (17.25 factors) and DEVCORE Intern and Interrupt Labs (every with $50,000 and 10 factors).
The safety researchers have efficiently demoed exploits concentrating on 58 zero-days in units from a number of distributors, together with Xiaomi, Western Digital, Synology, Canon, Lexmark, Sonos, TP-Hyperlink, QNAP, Wyze, Lexmark, and HP.
You will discover the whole schedule of the competitors contest right here. The total schedule for Pwn2Own Toronto 2023’s first day and the outcomes for every problem are listed right here.
As soon as zero-day vulnerabilities exploited in the course of the Pwn2Own occasion are reported, distributors have 120 days to launch patches earlier than ZDI publicly discloses them.
In March, throughout the Pwn2Own Vancouver 2023 competitors, rivals received $1,035,000 and a Tesla Mannequin 3 automotive for 27 zero-day (and a number of other bug collisions).
