Pwn2Own, the annual computer hacking contest, that recently took place in Toronto, Canada, saw hackers successfully exploit Samsung’s latest Galaxy S22 flagship smartphone four times during the four-day hacking event.
For those unaware, Pwn2Own is a hacking competition organized each year by the Zero Day Initiative (ZDI) where ethical hackers, cybersecurity experts, and several other contestants took part.
Pwn2Own Toronto 2022 marked the 10th anniversary of the consumer-focused hacking contest.
In the Pwn2Own hacking contest, security researchers exploit the latest and most popular mobile devices and demonstrate their skills and disclose major zero-day vulnerabilities to tech companies.
Following the event, vendors have 90 days to produce patches for these bugs. Winners of the contest receive the device that they exploited and a cash prize.
Samsung Galaxy S22 Gets Exploited Multiple Times
Samsung Galaxy S22 was successfully broken into twice during the first day of the Pwn2Own Toronto 2022 hacking competition.
Team STAR Labs was the first to successfully exploit a zero-day vulnerability on Samsung’s flagship device on their third attempt by executing an improper input validation attack. The winning team won $50,000, the devices under test, and 5 Master of Pwn points.
STAR Labs was able to execute their improper input validation attack on their 3rd try against the Samsung Galaxy S22. They earn $50K and 5 Master of Pwn points. #P2OToronto #Pwn2Own
The team got a great video of the exploit attempt: https://t.co/69It9QBOy2 pic.twitter.com/20WyVDuV5b
— Zero Day Initiative (@thezdi) December 6, 2022
Next, another participant, Chim, also successfully demoed an improper input validation attack against the Samsung Galaxy S22. They earned $25,000 (50% of the prize package for the second round of targeting the same device) as well as 5 Master of Pwn points.
Sweet calc action! #Pwn2Own #P2OToronto pic.twitter.com/3Fbi3SZE7h
— Zero Day Initiative (@thezdi) December 6, 2022
Further, the second day of the event saw vulnerability research company Interrupt Labs successfully hacking the Samsung Galaxy S22 by executing their improper input validation attack on the device. The team earned $25,000 (50% of the total cash award) for this successful hack, as this was the third time the Galaxy S22 was hacked during the competition.
On the third day, a team called Pentest Limited successfully jailbroke the Samsung Galaxy S22 to gain access to the device in less than 55 seconds by using an “Improper Input Validation” attack.
According to the contest rules, in all four cases, the devices were running the latest version of the Android operating system (Android 13) with all of the latest updates from Samsung installed.
“Samsung takes security seriously and is committed to providing a safe and secure experience for our customers. We are working to further enhance the security of our devices by releasing a security patch within December,” Samsung said in a statement to Forbes after Day 1 of the event.
“Meanwhile, we recommend users only download trusted applications and keep their devices updated with the latest software to ensure the highest level of protection possible.”
Besides Samsung, other products that were hacked and exploited at Pwn2Own Toronto 2022 were routers, smart speakers, printers, and Network Attached Storage (NAS) devices from Cisco, NETGEAR, Canon, Ubiquiti, Sonos, Lexmark, Synology, and Western Digital.
