Security researchers attending the Pwn2Own 2023 event in Toronto have successfully demonstrated three more security vulnerabilities affecting the Galaxy S23. The event hosted by Zero Day Initiative (ZDI) began earlier this week, and so far, the Galaxy S23 has been the subject of five hacks in total.
On the first day of the event, the Galaxy S23 was successfully attacked through zero-day vulnerabilities two times. Over the course of the next two days, the Galaxy S23 series experienced a few other live hacks.
Story continues after the video
Zero-days are security vulnerabilities of which the OEM, in this case, Samsung, is unaware. Through its Pwn2Own event, ZDI encourages security researchers who demonstrate zero-day exploits to pass the information onto OEMs without publicizing their findings. For their efforts, white hats can win cash prizes.
Galaxy S23 hacked live three more times in two days
On the 2nd day of the Pwn2Own event, Interrupt Labs successfully executed an improper input validation attack against the Galaxy S23. In addition, ToChim exploited a permissive list of allowed inputs on the same Samsung flagship.
For demonstrating these two zero-days on the Galaxy S23, each security researcher earned $25,000 and 5 Master of Pwn points.
Moving on to Day 3, Team Orca of Sea Security was able to execute an attack on the Galaxy S23. However, ZDI confirms this bug was previously known. Team Orca won $6,250 and 1.25 Master of Pwn points.
The valuable information gathered by these researchers will likely be used by Samsung (and possibly Google) to develop new security patches. The methods behind the exploits have not been made public, so it's unclear how exactly they work and if there are other Galaxy devices affected by these issues. Usually, new exploits are detailed in official security changelogs once they get patched. We might hear more about these vulnerabilities in the coming months.