Contestants hacked the Samsung Galaxy S22 smartphone twice during the first day of the Pwn2Own Toronto 2022 hacking contest, the 10th edition of the consumer-focused event.
The STAR Labs team was the first successfully exploit zero-day on Samsung’s flagship device by executing their improper input validation attack on their third attempt, winning $50,000 and 5 Master of Pwn points.
Another contestant, Chim, as well demonstrated successful exploitation targeting the Samsung Galaxy S22 and was able to execute an improper input validation attack winning $25,000 (50% of the prize for the second round of targeting the same device) and 5 Master of Pwn points.
“The first winner on each goal will receive the full cash prize and the devices under tests”, explain the organizers of the competition.
“For the second and subsequent rounds on each target, all other winners will receive 50% of the prize package, however, they will still earn the full Master of Pwn points.”
According to the rules of the competition, in both cases, the Galaxy S22 devices were running the latest version of the Android operating system with all available updates installed.
During this first day of the competition, contestants also successfully demonstrated exploits targeting zero-day bugs in printers and routers from multiple vendors, including Canon, Mikrotik, NETGEAR, TP-Link, Lexmark, Synology and HP.
Competition extended to four days
At Pwn2Own Toronto, security researchers can target cell phones, home automation hubs, printers, wireless routers, network storage, smart speakers and other devices, all of them up-to-date and in their default configuration.
They can win the highest rewards in the mobile category, with cash prizes of up to $200,000 for hacking Google Pixel 6 and Apple iPhone 13 smartphones.
Hacking Google and Apple devices can also provide $50,000 bonuses if the exploits are executed with kernel-level privilege, bringing the maximum reward for a single challenge to a total of $250,000 for a full exploit chain with kernel-level access.
Pwn2Own Toronto’s consumer-focused event has been extended to four days (between December 6th and December 8th) after 26 teams and contestants registered to exploit 66 targets across all categories.
You can find the complete competition schedule here. The full schedule for the first day of Pwn2Own Toronto 2022 and the results for each challenge are listed here.
On the second day of the competition, the Samsung Galaxy S22 will again be tested by hackers at the vulnerability firm Interrupt Labs.