It was the best of times; it was the worst of times for Samsung. Across four days ending October 27, the Samsung Galaxy S23 was successfully hacked by elite security researchers using zero-day exploits. Four times. The iPhone 14 and Pixel 7 were left unscathed. However, it’s not all bad news, as the zero-day exploits have been handed over to Samsung to fix. Samsung now has 120 days to do so before the exploit methodologies are disclosed publicly.
The removal of the Samsung S23 smartphone came at the annual Pwn2Own hacking event hosted through Trend Micro’s Zero Day Initiative. This customer event was held in Toronto, Canada, from October 24 to 27. only the Samsung Galaxy S23 and Xiaomi Thirteen Pro were effectively exploited. The Apple iPhone 14 and Google Pixel 7 remained undefeated.
As for the Samsung Galaxy S23, hackers from Pentest Limited, STAR Labs SG, Interrupt Labs, and ToChim managed to execute zero-day exploits against the device during the four days of competition.
In fact, there was a fifth successful hack against the Samsung Galaxy S23 via Sea Security’s Orca team, but it used an already known exploit.
Meanwhile, researchers from the NCC Group and the Viettel team also effectively executed zero-day exploits against the Xiaomi thirteen Pro smartphone.
As already mentioned, all the main technical points of the success of zero-day exploits will be made public when Samsung has had the opportunity to distribute a patch to fix the vulnerabilities. ZDI offers suppliers 120 days to produce and distribute such a patch. Meanwhile, ZDI has published a brief overview of the types of exploits on X, formerly known as Twitter.
Pentest Limited ran an input validation exploit, STAR Labs SG exploited a permissive list of allowed inputs, as did the ToChim team, while Interrupt Labs used an input validation exploit.
The four hacking groups involved in exploiting the Samsung Galaxy S23 earned a total of $125,000 for demonstrating their zero-day attacks live on stage. The fifth team, which used a zero-day exploit, however earned a reward of $6,250.
The total prize money claimed by hacking teams across the entire four days of Pwn2Own 2023 amounted to a staggering $1,038,500. With 58 zero-days in all being demonstrated and handed over to the relevant vendors, this was a good week for hackers and consumers alike. It is far better that these exploits are discovered by those who hand them over for fixing than by those who would exploit them against us for criminal profit or in government-sponsored espionage campaigns.
Those 58 zero-days impacted printers, routers, security cameras, and network-attached storage devices, among other consumer devices. The full list of successful exploits can be found on the ZDI Pwn2Own blog.
The final ratings of Pwn2Own 2023 in Toronto
I have contacted Samsung and will update this article accordingly.
A community. Many voices. Create a free account to share your thoughts.
Our network aims to connect other people through open and thoughtful conversations. We need our readers to share their perspectives and exchange concepts and facts in one space.
To do this, please comply with the posting regulations in our site’s terms of use. We summarize some of those key regulations below. In short, civilized.
Your post will be rejected if we notice that it seems to contain:
User accounts will be locked if we become aware that users are engaging in:
So how can you be a user?
Thank you for reading our Community Guidelines. Please read the full list of posting regulations discovered in our site’s Terms of Use.