• January 27, 2023

Artificial Intelligence

Inflection Point Artificial Intelligence (AI) is the ability of machines to perform tasks that would normally require human intelligence. The rise in computer power, along with digital data, is what makes …

New Samsung Leak Reveals Galaxy S23 Price Shock

Samsung’s Galaxy S23 range delivers the most anticipated Android smartphones of the year, but international buyers are in for a shock when they see the prices. A new leak from Roland …

New Apple Leak Reveals Cutting-Edge iPhone 15 Feature

iPhone 15 leaks have revealed many of the phone’s biggest upgrades. Now a new report claims Apple will equip models with Wi-Fi 6E, described as “the most disruptive boon for Wi-Fi …

Last year, during the Pwn2Own hacking event in Austin, Texas, the Samsung Galaxy S21 was hacked, not once but twice, across a period of just 48 hours. This year, at the Pwn2Own competition in Toronto, Canada, elite hacking teams went one better: Samsung’s flagship Galaxy S22 smartphone fell to zero-day exploits twice on the same day. But this is a good thing, as it means Samsung can now fix the issues before malicious threat actors can do any harm.

What is Pwn2Own?

The Pwn2Own hacking event is operated by Trend Micro’s Zero-Day Initiative (ZDI), launched in 2005, and sees some of the best hacking teams come together to exploit various devices using previously unknown ‘zero-day’ vulnerabilities. These elite hacking bounty hunters and security researchers compete against the clock, and each other, in order to successfully exploit, or pwn, devices for sizeable financial rewards. None of the zero-days are sold or redistributed by ZDI, instead, the exploited device vendors are quickly given the details required in order for them to release a patch to fix the issue before full technical information is made public or can be exploited by malicious threat actors.

Samsung Galaxy S22 hacked, twice

It took the STAR Labs team three attempts, but it was third time lucky as the hackers managed to execute an improper input validation attack against a Samsung Galaxy S22 that was running the latest operating system and firmware and fully up to date with security patches. Because this was the first team to succeed in exploiting a zero-day vulnerability for the smartphone, an award of $50,000 was made. There’s even a YouTube video of the successful Samsung Galaxy S22 hack taking place.

Advertisement

Within just a few hours, the Chim team successfully showcased another zero-day exploit against the Samsung flagship device. This was another improper input validation attack, but because it came after the first, the team was only awarded a $25,000 prize.

I have reached out to Samsung for a statement regarding the successful exploits and asked for an estimated timescale for a patch to become available. I will update this story when I hear more.

Full results of successful hacks on Pwn2Own day one

Other successful exploits on day one of Pwn2Own include:

  • A stack-based Buffer Overflow attack against the Canon imageCLASS MF743Cdw printer.
  • Both an authentication bypass and a command injection attack against the WAN interface of the TP-Link AX1800 router.
  • A command injection attack against the Lexmark MC3224i printer.
  • A command injection attack against the WAN interface of a Synology RT6600ax router.
  • A stack-based buffer overflow attack against the HP Color LaserJet Pro M479fdw printer.
  • A command injection root shell attack against the LAN interface of a Synology RT6600ax router.
  • Both an SQL injection and a command injection attack against the LAN interface of the NETGEAR RAX30 AX2400 router.
  • A three-exploit chain attack consisting of two ‘missing auth for critical function’ and one auth bypass, against a Synology DiskStation DS920+ NAS.
  • A two-vulnerability attack against an HP Color LaserJet Pro M479fdw printer.
  • A five-vulnerability attack against the LAN interface of the NETGEAR RAX30 AX2400 router.
  • Two different stack-based buffer overflow attacks were successful against a Mikrotik router and a Canon printer in a new ‘SOHO SMASHUP’ category, earning the winning team $100,000. Seconds place, and $50,000, went to a team that used a three-vulnerability attack against a NETGEAR router and an HP printer.
Advertisement

Leave a Reply

Your email address will not be published.