It was the best of times; This was the worst time for Samsung. In the four days ending October 27, the Samsung Galaxy S23 was successfully hacked by elite security researchers using zero-day exploits. four times. There was no damage to the iPhone 14 and Pixel 7. However, it’s not all bad news, as the zero-day exploits have been handed over to Samsung to fix. Samsung now has 120 days to do so before publicly disclosing the exploit methods.

Who hacked Samsung Galaxy S23?

The Samsung S23 smartphone was taken down during the annual Pwn2Own hacking event organized by Trend Micro’s Zero Day Initiative. This consumer-oriented event, held in Toronto, Canada, took place between October 24 and 27. Although there were four smartphones in the scope of the hackers’ involvement, only the Samsung Galaxy S23 and Xiaomi 13 Pro were successfully exploited. Apple iPhone 14 and Google Pixel 7 remained undefeated.

Regarding the Samsung Galaxy S23, hackers from Pentest Limited, Star Labs SG, Interrupt Labs, and Toochim were able to execute successful zero-day exploits against the device during the four days of the competition.

In fact, this was the fifth successful hack by C Security’s Team Orca against the Samsung Galaxy S23, but it used a previously known exploit.

Meanwhile, researchers from NCC Group and Team Vital were also able to execute successful zero-day exploits against Xiaomi 13 Pro smartphones.

Which zero-day exploits were used to hack the Samsung Galaxy S23?

As already mentioned, the full technical details of successful zero-day exploits will not be made public until Samsung has had the opportunity to distribute a patch to fix the vulnerabilities. ZDI gives vendors 120 days to produce and distribute such patches. Meanwhile, ZDI has released a lot Brief outline of types of exploits on XWhich was earlier known as Twitter.

Pentest Ltd executed an improper input validation exploit, Star Labs SG exploited a permissive list of allowed inputs, as did the Tochim team, while Interrupt Labs used an improper input validation exploit.

How much money did the Pwn2Own hackers make?

Four teams of hackers involved in the Samsung Galaxy S23 exploit were awarded a total of $125,000 for performing their zero-day attacks live on the platform. The fifth team, which did not use the zero-day, was still awarded a prize of $6,250.

The total prize money claimed by hacking teams across the four days of Pwn2Own 2023 was $1,038,500. With a total of 58 zero-days exposed and handed over to the respective vendors, it was a good week for both hackers and consumers. It is far better for these exploits to be discovered by those who submit them for fixing rather than by those who would exploit them for criminal gain or in government-sponsored espionage campaigns against us.

Those 58 zero days affected printers, routers, security cameras and network-attached storage devices, among other consumer devices. The full list of successful exploits can be found on the ZDI Pwn2Own blog.

Pwn2Own 2023 Toronto Final Leaderboard ZDI

I’ve contacted Samsung for a statement and will update this article if one comes back.