Pwn2Own Toronto 2022 has ended with competitors earning $989,750 for 63 zero-day exploits (and multiple bug collisions) targeting consumer products between December 6th and December 9th.
During this hacking competition, 26 teams and security researchers have targeted devices in the mobile phones, home automation hubs, printers, wireless routers, network-attached storage, and smart speakers categories, all up-to-date and in their default configuration.
While no team signed up to hack the Apple iPhone 13 and Google Pixel 6 smartphones, the contestants hacked a fully patched Samsung Galaxy S22 four times.
The STAR Labs team was the first to exploit a zero-day in Samsung’s flagship device by executing an improper input validation attack on their third attempt, earning $50,000 and 5 Master of Pwn points.
Another contestant, known as Chim, demoed one more successful exploit targeting the Samsung Galaxy S22 on the first day of the contest.
Security researchers with Interrupt Labs and Pentest Limited also hacked the Galaxy S22 on the second and third days of the competition, with Pentest Limited demonstrating their zero-day exploit in just 55 seconds.
The Pwn2Own Toronto 2022 wrapped up today, on the fourth day of the competition, with contestants earning $989,750 for 63 zero-day exploits across multiple categories.
The final numbers for #Pwn2Own Toronto 2022:
$989,750 awarded
63 unique 0-days
66 entries
36 different teams representing 14+ countries
See you at #Pwn2Own Miami in February!
— Zero Day Initiative (@thezdi) December 9, 2022
Throughout the contest, hackers have successfully demoed exploits targeting zero-day bugs in devices from multiple vendors, including Canon, HP, Mikrotik, NETGEAR, Sonos, TP-Link, Lexmark, Synology, Ubiquiti, Western Digital, Mikrotik, and HP.
You can find the complete schedule of the competition here and the program and results for each day of Pwn2Own Toronto 2022 here.
After the zero-day vulnerabilities exploited during the Pwn2Own event are reported, vendors are given 120 days to release patches before ZDI publicly discloses them.
The DEVCORE team won the contest, earning $142,500 and 18.5 Master of Pwn points. They are followed on the leaderboard by Team Viettel with $82,500 and 16.5 points and NCC Group EDG with $78.750 and 15.5 points.
