Ryan Haines / Android Authority
TL;DR
- The Samsung Galaxy S23 was hacked twice on the first day of Toronto’s Pwn2Own contest.
- The device was running the latest Android software version and security patches.
- Researchers also breached the Xiaomi 13 Pro’s security measures twice.
The Samsung Galaxy S23 had a tough first day at Toronto’s Pwn2Own hacking contest. Researchers participating in the event were able to exploit the Samsung flagship smartphone twice.
The first exploit stemmed from an allowed list of inputs outlined by the competition, while the second group was able to exploit the smartphone’s input validation technique. In simpler terms, improper input validation can allow a hacker to dupe an application and execute code or control a resource on the device.
Success! Pentest Limited was able to execute an Improper Input Validation against the Samsung Galaxy S23. They earn $50,000 and 5 Master of Pwn points. #Pwn2Own pic.twitter.com/VaLc1mnhiH
According to the competition’s rules, entrants must “compromise the device by browsing to web content in the default browser for the target under test” or by communicating with the device using NFC, Wi-Fi, or Bluetooth. The device must also be running the latest software version and patches.
While the news might be alarming for Galaxy S23 owners, the competition allows a safe space and prize money for ethical researchers to discover and exploit vulnerabilities in popular devices. Overall, it improves the security of some of the best smartphones and products on the market.
Which other smartphones were pwned?
Ryan Haines / Android Authority
The Galaxy S23 is one of four phones available to competitors at the event, alongside the Google Pixel 7, iPhone 14, and Xiaomi 13 Pro. While Google and Apple’s flagships left day one unbreached, the same can’t be said for the 13 Pro. The Xiaomi flagship’s security measures fell to two breaches, one from a zero-day bug.
Several additional devices, including smart home equipment, network storage devices, and printers, were also exploited on the first day of this year’s competition.
Notably, the Galaxy S22 running Android 13 was hacked in just 55 seconds during the Toronto edition of the contest last year. Its security was breached four times across the contest’s four-day span.
This year’s Pwn2Own runs until October 27, so expect to hear of new vulnerabilities in several more popular devices this week.