header banner
Default

Million-Dollar Zero-Day Attackers Take Down Samsung Galaxy S23


The Samsung Galaxy S23 fell four times in four days to zero-day hackers during Pwn2Own 2023

Copyright 2023 The Associated Press. All rights reserved

It was the best of times; it was the worst of times for Samsung. Across four days ending October 27, the Samsung Galaxy S23 was successfully hacked by elite security researchers using zero-day exploits. Four times. The iPhone 14 and Pixel 7 were left unscathed. However, it’s not all bad news, as the zero-day exploits have been handed over to Samsung to fix. Samsung now has 120 days to do so before the exploit methodologies are disclosed publicly.

Who Just Hacked The Samsung Galaxy S23?

VIDEO: The Galaxy S23 Ultra is Better Than You Think!
Marques Brownlee

The takedown of the Samsung S23 smartphone happened during the annual Pwn2Own hacking event organized by Trend Micro’s Zero Day Initiative. This consumer-oriented event, held in Toronto, Canada, took place between October 24 and 27. Although four smartphones were in scope for the hackers taking part, only the Samsung Galaxy S23 and Xiaomi 13 Pro were successfully exploited. The Apple iPhone 14 and Google Pixel 7 remained undefeated.

MORE FROM FORBESiLeakage Hackers Can Read Gmail On All 2020 Or Later iPhones And MacsBy Davey Winder

With regard to the Samsung Galaxy S23, hackers from Pentest Limited, STAR Labs SG, Interrupt Labs, and ToChim were all able to execute successful zero-day exploits against the device across the four days of competition.

There was, in fact, a fifth successful hack against the Samsung Galaxy S23 by Team Orca from Sea Security, but it used a previously known exploit.

Meanwhile, researchers from NCC Group and Team Viettel were also able to execute successful zero-day exploits against the Xiaomi 13 Pro smartphone.

What Zero-Day Exploits Were Used To Hack The Samsung Galaxy S23?

VIDEO: FAKE S23 ULTRA: It’s Getting Scary…
Phone Repair Guru

As already mentioned, the full technical details of the successful zero-day exploits will not be made public until such a time that Samsung has had an opportunity to distribute a patch to fix the vulnerabilities. ZDI gives vendors a 120-day window within which to produce and distribute such a patch. In the meantime, ZDI has released a very brief outline of the exploit types on X, formerly known as Twitter.

Pentest Limited executed an Improper Input Validation exploit, STAR Labs SG exploited a permissive list of allowed inputs, as did the ToChim team, while Interrupt Labs used an improper input validation exploit.

How Much Money Did The Pwn2Own Hackers Make?

VIDEO: iPhone 14 Pro Max vs Samsung Galaxy S23 Ultra Charging Test 🔌 Subscribe for more 👍🏼
Pixacre Tech

The four teams of hackers involved in exploiting the Samsung Galaxy S23 were awarded a total of $125,000 for demonstrating their zero-day attacks live on stage. The fifth team, which didn’t use a zero-day exploit, was nonetheless awarded with a bounty of $6,250.

MORE FROM FORBESGoogle Offers Its $12 Million Bug Bounty To Hackers Who Find AI ThreatsBy Davey Winder

The total prize money claimed by hacking teams across the entire four days of Pwn2Own 2023 amounted to a staggering $1,038,500. With 58 zero-days in all being demonstrated and handed over to the relevant vendors, this was a good week for hackers and consumers alike. It is far better that these exploits are discovered by those who hand them over for fixing than by those who would exploit them against us for criminal profit or in government-sponsored espionage campaigns.

Those 58 zero-days impacted printers, routers, security cameras, and network-attached storage devices, among other consumer devices. The full list of successful exploits can be found on the ZDI Pwn2Own blog.

The Pwn2Own 2023 Toronto final leaderboard

ZDI

I have reached out to Samsung for a statement and will update this article should one be forthcoming.

Follow me on Twitter or LinkedInCheck out my website or some of my other work here

Sources


Article information

Author: Peter Wu

Last Updated: 1700331842

Views: 1224

Rating: 3.7 / 5 (45 voted)

Reviews: 81% of readers found this page helpful

Author information

Name: Peter Wu

Birthday: 1986-01-02

Address: 018 Shepherd Grove Suite 861, New Daniel, AL 34627

Phone: +4563686984037274

Job: Insurance Agent

Hobby: Crochet, Juggling, Survival Skills, Gardening, Horseback Riding, Woodworking, Singing

Introduction: My name is Peter Wu, I am a proficient, clever, Gifted, strong-willed, esteemed, treasured, Colorful person who loves writing and wants to share my knowledge and understanding with you.