It was the best of times; it was the worst of times for Samsung. Across four days ending October 27, the Samsung Galaxy S23 was successfully hacked by elite security researchers using zero-day exploits. Four times. The iPhone 14 and Pixel 7 were left unscathed. However, it’s not all bad news, as the zero-day exploits have been handed over to Samsung to fix. Samsung now has 120 days to do so before the exploit methodologies are disclosed publicly.
The takedown of the Samsung S23 smartphone happened during the annual Pwn2Own hacking event organized by Trend Micro’s Zero Day Initiative. This consumer-oriented event, held in Toronto, Canada, took place between October 24 and 27. Although four smartphones were in scope for the hackers taking part, only the Samsung Galaxy S23 and Xiaomi 13 Pro were successfully exploited. The Apple iPhone 14 and Google Pixel 7 remained undefeated.
MORE FROM FORBESiLeakage Hackers Can Read Gmail On All 2020 Or Later iPhones And MacsBy Davey Winder
With regard to the Samsung Galaxy S23, hackers from Pentest Limited, STAR Labs SG, Interrupt Labs, and ToChim were all able to execute successful zero-day exploits against the device across the four days of competition.
There was, in fact, a fifth successful hack against the Samsung Galaxy S23 by Team Orca from Sea Security, but it used a previously known exploit.
Meanwhile, researchers from NCC Group and Team Viettel were also able to execute successful zero-day exploits against the Xiaomi 13 Pro smartphone.
As already mentioned, the full technical details of the successful zero-day exploits will not be made public until such a time that Samsung has had an opportunity to distribute a patch to fix the vulnerabilities. ZDI gives vendors a 120-day window within which to produce and distribute such a patch. In the meantime, ZDI has released a very brief outline of the exploit types on X, formerly known as Twitter.
Pentest Limited executed an Improper Input Validation exploit, STAR Labs SG exploited a permissive list of allowed inputs, as did the ToChim team, while Interrupt Labs used an improper input validation exploit.
The four teams of hackers involved in exploiting the Samsung Galaxy S23 were awarded a total of $125,000 for demonstrating their zero-day attacks live on stage. The fifth team, which didn’t use a zero-day exploit, was nonetheless awarded with a bounty of $6,250.
MORE FROM FORBESGoogle Offers Its $12 Million Bug Bounty To Hackers Who Find AI ThreatsBy Davey Winder
The total prize money claimed by hacking teams across the entire four days of Pwn2Own 2023 amounted to a staggering $1,038,500. With 58 zero-days in all being demonstrated and handed over to the relevant vendors, this was a good week for hackers and consumers alike. It is far better that these exploits are discovered by those who hand them over for fixing than by those who would exploit them against us for criminal profit or in government-sponsored espionage campaigns.
Those 58 zero-days impacted printers, routers, security cameras, and network-attached storage devices, among other consumer devices. The full list of successful exploits can be found on the ZDI Pwn2Own blog.
I have reached out to Samsung for a statement and will update this article should one be forthcoming.