On the first day of the PWN2WN 2023 contest in Toronto, Canada, security researchers successfully hacked the Samsung Galaxy S23 smartphone twice. They also demonstrated the exploits and chains of vulnerabilities in the Xiaomi 13 Pro smartphone, as well as in printers, smart columns, network storage devices (NAS) and video surveillance cameras from Western Digital, Qnap, Synology, Canon, Lexmark, and Sonos.
Pentest Limited was the first to demonstrate a zero-day on the flagship Samsung Galaxy S23 device, using an input validation flaw to execute code. They received $50,000 and 5 points in the Master of Pwn category. The Samsung hacking team Pentest Limited was responsible for this achievement.
The Star Labs SG team also successfully exploited the Samsung Galaxy S23 by bypassing the permitted input list. They earned $25,000 (half of the prize for the second round of attacks on the same device) and 5 points in the Master of Pwn category. The Samsung hacking command Star Labs SG was responsible for this achievement.
The organizers explained that although only the first demonstration in each category wins the full monetary award, each successful exploit earns the full number of Master of PWN points. Since the order of attempts is determined randomly, participants who have later slots can still claim the Master of PWN title, even if they earn a smaller cash gain.
According to the competition rules of pwn2own Toronto 2023, the latest versions of the operating system with all installed security updates were used on the target devices. On the first day of the competition, $438,750 was awarded for 23 successfully demonstrated zero-day vulnerabilities. More details can be found on the official competition page.
The PWN2WN Toronto 2023 event, organized by the Zero Day Initiative (ZDI) from Trend Micro, allowed participants to target mobile and IoT devices. The list of devices included smartphones such as the Apple iPhone 14, Google Pixel 7, Samsung Galaxy S23, and Xiaomi 13 Pro, as well as printers, wireless routers, networking devices (NAS), home automation systems, video surveillance systems, smart speakers, and Google devices Pixel Watch and Chromecast. All devices were in their standard configuration and had the latest security updates.
The highest cash prizes were