Contestants have hacked the Samsung Galaxy S22 smartphone twice during the first day of the Pwn2Own Toronto 2022 hacking competition, the 10th edition of the consumer-focused event.
The STAR Labs team was the first to successfully exploit a zero-day on Samsung’s flagship device by executing their improper input validation attack on their third attempt, earning $50,000 and 5 Master of Pwn points.
Another contestant, Chim, also demoed a successful exploit targeting the Samsung Galaxy S22 and was able to execute an improper input validation attack earning $25,000 (50% of the prize for the second round of targeting the same device) and 5 Master of Pwn points.
“The first winner on each target will receive the full cash award and the devices under test,” the competition’s organizers explain.
“For the second and subsequent rounds on each target, all other winners will receive 50% of the prize package, however, they will still earn the full Master of Pwn points.”
According to the contest’s rules, in both cases, the Galaxy S22 devices ran the latest version of the Android operating system with all available updates installed.
During this first day of the competition, contestants have also successfully demoed exploits targeting zero-day bugs in printers and routers from multiple vendors, including Canon, Mikrotik, NETGEAR, TP-Link, Lexmark, Synology, and HP.
In all, ZDI awarded $400,000 today for 26 unique and successfully demonstrated zero-day vulnerabilities.
Contest extended to four days
During the Pwn2Own Toronto 2022 hacking event organized by Trend Micro’s Zero Day Initiative (ZDI), security researchers can target mobile phones, home automation hubs, printers, wireless routers, network-attached storage, smart speakers, and other devices, all of them up to date and in their default configuration.
They can win the highest rewards in the mobile phone category, with cash prizes of up to $200,000 for hacking Google Pixel 6 and Apple iPhone 13 smartphones.
Hacking Google and Apple devices also can provide $50,000 bonuses if the exploits execute with kernel-level privilege, bringing the maximum award for a single challenge to a total of $250,000 for a full exploit chain with kernel-level access.
Pwn2Own Toronto’s consumer-focused event has been extended to four days (between December 6th and December 8th) after 26 teams and contestants have registered to exploit 66 targets across all categories.
On the second day of the competition, the Samsung Galaxy S22 will once again be put to the test by hackers at vulnerability research firm Interrupt Labs.