Competitors hacked the Samsung Galaxy S22 again on day two of the consumer-focused Pwn2Own 2022 contest in Toronto, Canada.
They also showcased exploits targeting zero-day vulnerabilities in routers, printers, smart speakers, and network-attached storage (NAS) devices from HP, NETGEAR, Synology, Sonos, TP-Link, Canon, Lexmark and Western Digital.
Security researchers representing vulnerability research firm Interrupt Labs were the ones to demonstrate a successful exploit against Samsung’s flagship device on Wednesday.
They executed an inappropriate input validation attack and won $25,000, 50% of the total cash prize, as this was the third time the Galaxy S22 was hacked during the competition.
On the day one of Pwn2Own Torontothe STAR Labs team and a competitor known as Chim demonstrated two more zero-day exploits in successful invalid input validation attacks against the Galaxy S22.
In all three cases, depending on the contest rulesthe devices were running the latest version of the Android operating system with all available updates installed.
Day two of Pwn2Own Toronto wrapped up with Trend Micro’s Zero Day initiative, which awarded $281,500 for 17 unique bugs across multiple categories.
This brings the total for the first two days of Pwn2Own to $681,250 awarded for a unique 46 zero days, as revealed by ZDI Threat Awareness Manager Dustin Childs.
Competition extended to four days
To Pwn2Own Toronto 2022security researchers are targeting consumer devices in several categories, including cellphones, home automation hubs, printers, wireless routers, network storage and smart speakers, all running the latest software and in their default setup.
The mobile phone category offers the highest cash prizes, with researchers winning up to $200,000 for hacking Apple iPhone 13 and Google Pixel 6 smartphones.
Hacked Google and Apple devices also come with $50,000 bonuses if the exploits run with kernel-level privileges, with the maximum reward for a single challenge up to $250,000 for a full exploit chain with kernel-level access.
This year, the Pwn2Own Toronto consumer-focused hacking competition was extended to four days (between December 6 and 8) after 26 individual participants and teams registered to exploit 66 targets across all competition categories.
On the third day of the competition, the Samsung Galaxy S22 will once again be put to the test by hackers with the Pentest Limited and Qrious Secure teams.