Zero-day exploits are at the top of online security risks, as threat actors target a software vulnerability which is unknown to software vendors like Google and Samsung. At a Pwn2Own competition in Toronto, Canada, two teams of elite hacking members compromised the Samsung Galaxy S22 with two separate zero-day attacks.
What is the Pwn2Own event?
Pwn2Own is a computer-hacking event organised twice a year by Trend Micro’s Zero-Day Initiative (ZDI). First held in April 2007 in Vancouver, the event sees some of the best hacking teams come together to exploit various devices using previously unknown ‘zero-day’ vulnerabilities. These devices include mobile phones, home automation hubs, printers, wireless routers, network-attached storage and smart speakers.
After successfully exploiting a device, the teams give all the details to the vendors for them to release a patch to fix the issue and get financial rewards in return. This year, teams can win cash prizes of up to $200,000 for hacking Google Pixel 6 and Apple iPhone 13 smartphones. Further, teams can win bonuses of $50,000 if the exploits execute with kernel-level privilege.
Samsung Galaxy S22 hacked twice on the same day
As reported by Forbes, the STAR Labs team was the first to exploit a zero-day on a flagship device by executing the improper input validation attack on their third attempt. Thus earning them $50,000 and 5 Master of Pwn points for being the first team to exploit a zero-day vulnerability.
A few hours later, the Chim team successfully showcased another zero-day exploit on Samsung’s flagship device by executing the same improper input validation attack. Thus earning them $25,000 (50% of the prize for the second round of targeting the same device) and 5 Master of Pwn points.
According to the competition rules, the first winner of each target receives the full cash award and the devices under test. All the other winners receive 50% of the prize package and full Master of Pwn points.