Security researchers hacked the Samsung Galaxy S23 twice during the first day of the consumer-focused Pwn2Own 2023 hacking contest in Toronto, Canada. They also demoed exploits and vulnerability chains targeting zero-days in Xiaomi's 13 Pro smartphone, as well as printers, smart speakers, Network Attached Storage devices, and surveillance cameras from Western Digital, QNAP, Synology, Canon, Lexmark, and Sonos. Pentest Limited was the first to demo a zero-day on Samsung's flagship Galaxy S23 device by exploiting improper input validation weakness to gain code execution, earning $50,000 and 5 Master of Pwn points. The STAR Labs SG team also exploited a permissive list of allowed inputs to hack a Samsung Galaxy S23, earning $25,000 and 5 Master of Pwn points. "While only the first demonstration in a category wins the full cash award, each successful entry claims the full number of Master of Pwn points," the organizers explain. According to the Pwn2Own Toronto 2023 contest rules, all targeted devices run the latest operating system versions with all security updates installed. ZDI awarded $438,750 during the first day of the contest for 23 successfully demoed zero-day vulnerabilities. During the Pwn2Own Toronto 2023 hacking event organized by Trend Micro's Zero Day Initiative, competitors can target mobile and IoT devices. The complete list includes mobile phones, printers, wireless routers, network-attached storage devices, home automation hubs, surveillance systems, smart speakers, and Google's Pixel Watch and Chromecast devices, all in their default configuration and running the latest security updates. The highest rewards are for zero-day bugs in the mobile phone category, with cash prizes of up to $300,000 for hacking the iPhone 14 and $250,000 for the Pixel 7, with more than $1,000,000 in cash available for contestants. Successfully exploiting Google and Apple devices also provides $50,000 bonuses if the exploit payloads execute with kernel-level privilege, bringing the maximum possible award for a single challenge to a total of $350,000 for a full exploit chain with kernel-level access targeting the Apple iPhone 14. You can find the complete schedule of the competition contest here. The full schedule for Pwn2Own Toronto 2023's first day and the results for each challenge are listed here. On the second day of the contest, the Samsung Galaxy S23 will again be tested by security researcher Le Xich Long and hackers at vulnerability research firm Interrupt Labs. In March, during the Pwn2Own Vancouver 2023 competition, researchers were awarded $1,035,000 and a Tesla Model 3 car for exploiting 27 zero-day between March 22 and 24. Hackers update Cisco IOS XE backdoor to hide infected devices. Cisco patches IOS XE zero-days used to hack over 50,000 devices. Over 40,000 Cisco IOS XE devices infected with backdoor using zero-day. Cisco discloses new IOS XE zero-day exploited to deploy malware implant. Over 10,000 Cisco devices hacked in IOS XE zero-day attacks.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 30 Nov 2023 23:19:27 +0000