Pwn2Own, the annual computer hacking contest that concluded in Toronto, Canada, on October 27, 2023, saw security researchers earning $1,038,500 for 58 unique zero-day exploits (and multiple bug collisions).

The four-day hacking event was held between October 24, 2023, and October 27, 2023, with prize money to be won over $1,000,000 USD and other forms of prizes available for contestants.

The hacking event had multiple categories for the security researchers to target in the competition, which included printers, surveillance systems, network-attached storage (NAS) devices, mobile phones, home automation hubs, smart speakers, and Google’s Pixel Watch and Chromecast devices.

The hacking contest saw the Samsung Galaxy S23 being successfully hacked four times by the teams of Pentest Ltd, STAR Labs SG, Interrupt Labs, and ToChim. While Pentest Ltd and Interrupt Labs were able to execute an Improper Input Validation against the Samsung Galaxy S23, STAR Labs SG and ToChim were able to exploit a permissive list of allowed inputs against the smartphone.

Further, the exploitation of Samsung Galaxy S23 earned the Pentest Ltd and Interrupt Labs teams a reward of $50,000 and $25,000, respectively, and 5 Master of Pwn points, while the STAR Labs SG and ToChim teams got $25,000 and 5 Master of Pwn points each for their exploits.

Other Highlights:

  • Chris Anastasio was able to exploit a bug in the TP-Link Omada Gigabit Router and another in the Lexmark CX331adwe for $100,000
  • Team Orca of Sea Security executed a 2-bug chain using an OOB Read and UAF against the Sonos Era 100 for $60,000
  • A DEVCORE Intern executed a stack overflow attack against the TP-Link Omada Gigabit Router and exploited two bugs in the QNAP TS-464 for $50,000
  • Team Viettel was able to execute a heap-based buffer overflow and a stack-based buffer overflow against the TP-Link Omada Gigabit Router and the Canon imageCLASS MF753Cdw for the SOHO Smashup for $50,000
  • Xiaomi, Western Digital, Synology, Canon, Lexmark, Sonos, TP-Link, QNAP, Wyze, Lexmark, and HP were all exploited during the competition

The overall Master of Pwn winner was Team Viettel, with 30 Master of Pwn points, winning $180,000. They were followed on the leaderboard by Team Orca of Sea Security with $116,250 (17.25 points) and DEVCORE Intern and Interrupt Labs (each with $50,000 and 10 points).

Chris Anastasio and Pentest Ltd. ranked fourth and fifth on the leaderboard, respectively, with nine points each and won $100,000 and $90,000.

The full schedule of the Pwn2Own Toronto 2023 hacking event can be found here. The day-wise results for each challenge can also be found here (1, 2, 3, 4).

What is Pwn2Own?

Pwn2Own is a hacking competition organized each year by Trend Micro’s Zero Day Initiative (ZDI), where ethical hackers, cybersecurity experts, and several other contestants take part.

In the Pwn2Own hacking contest, security researchers exploit the latest and most popular mobile devices and IoT devices, demonstrate their skills, and disclose major zero-day vulnerabilities to tech companies. Contest winners receive the device they exploited and a cash prize.

Following the event, vendors have 90 days to produce patches for these bugs. Once the deadline ends, ZDI publicly discloses the flaws, irrespective of the patch status.