Security researchers hacked the Samsung Galaxy S23 twice on the first day of the consumer-focused Pwn2Own 2023 hacking competition in Toronto, Canada. They also showed exploits and vulnerability chains targeting zero-days on the Xiaomi 13 Pro smartphone, as well as printers, smart speakers, network-attached storage (NAS), and surveillance cameras from Western Digital, QNAP, Synology, Canon, Lexmark, and Sonos.

Pentest Limited became the first company to demonstrate a zero-day on the Samsung Galaxy S23 flagship device, earning $50,000 and 5 Master of Pwn points by exploiting a typo-checking weakness to increase code execution.

The STAR Labs SG team also used the whitelist to jailbreak the Samsung Galaxy S23 device, winning $25,000 (half the reward for the second round of targeting the same device) and 5 Master of Pwn points.

“While only the first demo in a category receives the full prize money, each successful entry is eligible to receive the full Master of Pwn points,” the organizers explain.

“Since the order of attempts is determined by a random draw, winners of later slots can still claim the title of Master of Pwn, even if they receive a smaller cash payout.”

According to Pwn2Own Toronto 2023 contest rules, all target devices are running the latest operating system versions with all security updates installed. ZDI received a reward of $438,750 for 23 zero-day vulnerabilities that were successfully demonstrated on the first day of the competition.

Over $1 million in cash and prizes

During the Pwn2Own Toronto 2023 hacking event organized by Trend Micro Zero Day Initiative (ZDI), adversaries can target mobile and IoT devices.

The full list includes mobile phones (like the Apple iPhone 14, Google Pixel 7, Samsung Galaxy S23, and Xiaomi 13 Pro), printers, wireless routers, network attached storage (NAS), home automation hubs, surveillance systems, smart speakers, and Google devices. Pixel Watch and Chromecast, which are configured by default and have the latest security updates.

Highest zero-day bug awards in the mobile phone category; Cash rewards of up to $300,000 for those who hack the iPhone 14, $250,000 for the Pixel 7, and over $1,000,000 in cash rewards for participants.

Successful exploits on Google and Apple devices also provide a $50,000 bonus if exploit payloads are executed with kernel-level privileges, bringing the maximum possible reward per issue to $350,000 for a full exploit chain with kernel-level access targeting the Apple iPhone 14. takes it out.

On the second day of the competition, the Samsung Galaxy S23 was tested again by security researcher Le Sich Long and hackers from research firm Interrupt Labs. In March, during the Pwn2Own Vancouver 2023 competition, researchers were awarded $1,035,000 and a Tesla Model 3 for using 27 zero days (and several bug encounters) between March 22 and 24. Source