Samsung recently experienced both high and low moments, particularly during a four-day period ending on October 27. The company’s latest model, the Samsung Galaxy S23, was compromised by top security researchers who utilized previously unknown vulnerabilities to hack the device four times. In contrast, competitors’ models, the iPhone 14 and Pixel 7, remained secure and were not hacked.
The breaches occurred at the prestigious Pwn2Own hacking contest, sponsored by Trend Micro’s Zero Day Initiative and held in Toronto, Canada. The event ran from October 24 to October 27. Among the participating devices, hackers managed to breach only the Samsung Galaxy S23 and the Xiaomi 13 Pro, with the latter also falling victim to successful exploits.
Teams from Pentest Limited, STAR Labs SG, Interrupt Labs, and ToChim showcased their expertise by employing novel exploits against the Galaxy S23 over the course of the event. Additionally, a fifth hack on the Galaxy S23 by Team Orca from Sea Security was notable, although it involved an exploit that was already known.
Experts from NCC Group and Team Viettel successfully conducted zero-day exploits against the Xiaomi 13 Pro as well.
The specific vulnerabilities exploited will not be disclosed until Samsung has had the opportunity to address them. The company has been given a 120-day deadline to issue patches before the details of these exploits are made public. Zero Day Initiative has provided a brief description of the exploit types but has withheld full technical information until Samsung remedies the situation.
In terms of financial gains, the hacking teams that exposed the vulnerabilities in the Galaxy S23 collectively earned $125,000 for presenting their attacks. Despite using a known exploit, the fifth team received a reward of $6,250.
The total prize pool awarded during the Pwn2Own 2023 event amounted to over one million dollars, with 58 zero-day exploits showcased and then reported to the affected companies. The discovery and reporting of these vulnerabilities serve the greater good by ensuring they are fixed rather than exploited maliciously for profit or espionage.
The exploits impacted a wide array of devices, including printers, routers, security cameras, and storage units. More information and a complete list of exploits can be found on the official Pwn2Own blog.
As the tech community awaits further action from Samsung, the article promises to update readers with any statements from the company regarding these developments.