The Pwn2Own Toronto 2023 hacking competition recently concluded, with security researchers securing $1,038,500 for 58 zero-day exploits and multiple bug collisions targeting a range of consumer products over four days in late October.
Organized by Trend Micro’s Zero Day Initiative (ZDI), this event was primarily focused on mobile and IoT devices. Notable targets included mobile phones like the Apple iPhone 14, Google Pixel 7, Samsung Galaxy S23, and Xiaomi 13 Pro, along with printers, wireless routers, network-attached storage (NAS) devices, home automation hubs, surveillance systems, smart speakers, and Google’s Pixel Watch and Chromecast devices. All devices were in their default configurations and running the latest security updates.
Although no teams attempted hacks on the Apple iPhone 14 and Google Pixel 7 smartphones, the Samsung Galaxy S23 faced four successful breaches. The Pentest Limited team was the first to demonstrate a zero-day vulnerability in the Galaxy S23, exploiting an improper input validation flaw for code execution, earning $50,000 and 5 Master of Pwn points. The STAR Labs SG team also utilized a permissive list of allowed inputs to hack the same device, earning $25,000 in the first round and half the prize in the second, along with 5 Master of Pwn points.
Additional security researchers from Interrupt Labs and the ToChim team also managed to breach the Galaxy S22 on the second day by exploiting permissive input lists and another improper input validation weakness.
Team Viettel emerged as the competition’s winner, earning $180,000 and 30 Master of Pwn points. They were followed by Team Orca of Sea Security with $116,250 (17.25 points), and DEVCORE Intern and Interrupt Labs, each earning $50,000 and 10 points.
In total, the security researchers successfully demonstrated exploits targeting 58 zero-day vulnerabilities across devices from various vendors, including Xiaomi, Western Digital, Synology, Canon, Lexmark, Sonos, TP-Link, QNAP, Wyze, Lexmark, and HP.
Vendors now have 120 days to release patches for zero-day vulnerabilities exploited during the Pwn2Own event before ZDI discloses them publicly. The Pwn2Own Vancouver 2023 competition in March saw competitors earn $1,035,000 and a Tesla Model 3 car for identifying 27 zero-day vulnerabilities and experiencing several bug collisions.