On the third day of Pwn2Own, contestants hacked the Samsung Galaxy S22 a fourth time since the start of the competition, and this time they did it in just 55 seconds.
Security researchers representing penetration test provider Pentest Limited pulled this off after demoing a zero-day bug part of a successful Improper Input Validation attack against Samsung’s flagship device on Thursday.
This earned them $25,000, 50% of the total cash award, as this was the fourth (and last) time the Galaxy S22 was hacked during the Pwn2Own Toronto 2022 contest.
Tri Dang and Toan Pham of Qrious Secure also tried bypassing the smartphone’s security protection but failed to demonstrate their exploit during the time allotted for their attempt.
On the first day of Pwn2Own Toronto, the STAR Labs team and a security researcher only known as Chim demoed two other zero-day exploits in successful attacks targeting the Galaxy S22.
In all four cases, the smartphones were running the latest Android OS version with all available updates installed, according to the contest rules.
The third day of Pwn2Own Toronto wrapped up with Trend Micro’s Zero Day Initiative awarding $253,500 for 14 unique bugs across multiple categories.
Throughout the day, contestants also demoed exploits targeting zero-day flaws in routers, smart speakers, printers, and Network Attached Storage (NAS) devices from Cisco, NETGEAR, Canon, Ubiquiti, Sonos, Lexmark, Synology, and Western Digital.
This brings the total to $934,750 awarded for 60 unique zero-days after the first three days of Pwn2Own, per ZDI’s Head of Threat Awareness Dustin Childs.
The Pwn2Own Toronto 2022 consumer-focused hacking contest was extended to four days after 26 individual contestants and teams registered to exploit 66 targets, and it takes place between December 6th and December 8th.
On the fourth day of the competition, the contestants will demo new zero-days in multiple consumer device categories, including printers, wireless routers, and network-attached storage.