The Pwn2Own hacking contest has once again highlighted that smartphones are always susceptible to attacks no matter how secure they are. Security researchers uncovered and exploited multiple zero-day vulnerabilities on the Samsung Galaxy S23 and Xiaomi 13 Pro. Both phones were hacked twice on the first day of the contest.
Pwn2Own exposes Galaxy S23 and Xiaomi 13 Pro’s security vulnerabilities
Pwn2Own is a computer hacking contest held twice a year. The contest invites security researchers from all over the world to try and breach the security of commonly used electronic devices such as smartphones, printers, smart speakers, surveillance cameras, Network Attached Storage (NAS) devices, and more. Researchers are awarded cash prizes for every successful hack. The prize money varies on the severity of the vulnerability and other factors.
The latest edition of Pwn2Own kicked off in Toronto, Canada yesterday, October 24. The organizers have more than $1,000,000 in cash and other forms of prizes available for contestants. We saw several successful hacking attempts on various products on the first day itself. The most notable of them were two zero-day exploits each of the latest flagship smartphones from Samsung and Xiaomi.
For the uninitiated, zero-day vulnerabilities are security flaws previously unknown to anyone, not even the developers of the product. If a hacker or security expert discovers such a vulnerability, they may be able to exploit it right away as the vendor doesn’t have a fix ready for it. This is what happened with the two phones at Pwn2Own. The first attack against the Galaxy S23 exploited an Improper Input Validation vulnerability.
Pentest Limited executed this attack and earned $50,000 in cash and five Master of Pwn points. Researchers at STAR Labs SG were able to “exploit a permissive list of allowed inputs” against the Samsung phone to earn $25,000 and five Master of Pwn points. Likewise, Team Viettel executed a single-bug attack against the Xiaomi 13 Pro to take home $40,000 and 4 Master of Pwn points. Finally, NCC Group exploited a zero-day vulnerability on the Xiaomi 13 Pro. The group earned a cash prize of $20,000 and 4 Master of Pwn points.
Both of these phones had the latest security patches installed
As per contest rules, all targeted devices were running the latest OS version with the latest security patch installed. Pwn2Own organizers say they have already awarded over $400,000 in prizes. The contest runs through October 27, so we might see more of these high-profile security breaches in the coming days. The Google Pixel 7 and iPhone 14 are other phones available to the contestants. Samsung’s Galaxy S22 was breached four times across the contest’s four-day span Pwn2Own hacking contest, including a hack executed in just 55 seconds.