Contestants hacked the Samsung Galaxy S22 again during the second day of the consumer-focused Pwn2Own 2022 competition in Toronto, Canada.
They also demoed exploits targeting zero-day vulnerabilities in routers, printers, smart speakers, and Network Attached Storage (NAS) devices from HP, NETGEAR, Synology, Sonos, TP-Link, Canon, Lexmark, and Western Digital.
Security researchers representing the vulnerability research company Interrupt Labs were the ones to demonstrate a successful exploit against Samsung’s flagship device on Wednesday.
They executed an improper input validation attack and earned $25,000, 50% of the total cash award, because this was the third time the Galaxy S22 was hacked during the competition.
On the first day of Pwn2Own Toronto, the STAR Labs team and a contestant known as Chim demoed two other zero-day exploits as part of successful improper input validation attacks against the Galaxy S22.
In all three cases, according to the contest rules, the devices ran the latest version of the Android operating system with all available updates installed.
The second day of Pwn2Own Toronto wrapped up with Trend Micro’s Zero Day Initiative awarding $281,500 for 17 unique bugs across multiple categories.
This brings the first two days of Pwn2Own total to $681,250 awarded for 46 unique zero-days, as ZDI’s Head of Threat Awareness Dustin Childs revealed.
Competition extended to four days
At Pwn2Own Toronto 2022, security researchers target consumer devices in multiple categories, including mobile phones, home automation hubs, printers, wireless routers, network-attached storage, and smart speakers, all running the latest software and in their default configuration.
The mobile phone category comes with the highest cash prizes, with researchers earning up to $200,000 for hacking Apple iPhone 13 and Google Pixel 6 smartphones.
Hacked Google and Apple devices also come with $50,000 bonuses if the exploits execute with kernel-level privilege, with the maximum reward for a single challenge going up to $250,000 for a full exploit chain with kernel-level access.
This year’s Pwn2Own Toronto consumer-focused hacking competition has been extended to four days (between December 6th and December 8th) after 26 individual contestants and teams registered to exploit 66 targets across all contest categories.
On the third day of the competition, Samsung Galaxy S22 will once again be put to the test by hackers with the Pentest Limited and Qrious Secure teams.