The Galaxy S23 may be one of the most secure Android phones, but it is not impermeable. No smartphone is, regardless of who manufactures it. The Zero Day Initiative's ongoing Pwn2Own event in Toronto highlights that consumer electronics are always susceptible to attacks, and smartphones from both Samsung and Xiaomi were the focus of some newly discovered zero-days.
A zero-day is a vulnerability in a computer system that was previously unknown to its developers or anyone capable of mitigating it (via Wikipedia). Through its Pwn2Own event, the Zero Day Initiative encourages security researchers to report zero-day vulnerabilities privately to vendors. Cash rewards are at stake.
On the first day of the ongoing Pwn2Own 2023 Toronto event, researchers were able to exploit two zero-days affecting the Galaxy S23 and two zero-days on the Xiaomi 13 Pro. Once again, these exploits were previously unknown to Samsung, Google (and Xiaomi), or anyone able to patch them.
Story continues after the video
$75,000 awarded for discovering two Galaxy S23 zero-days
According to the Zero Day Initiative blog, Star Labs SG was able to exploit a permissive list of allowed input against the Galaxy S23. For discovering and demonstrating this zero-day, they earned $25,000 and 5 Master of Pwn points.
The bigger prize of $50,000 and 5 Master of Pwn points went to Pentest Limited for executing an Improper Input Validation on the Galaxy S23.
These newly-discovered vulnerabilities will likely be addressed with future security patches, and the exploit methods kept in secrecy untile then.
Security researchers have also found zero-days in the Xiaomi 13 Pro. Team Viettel earned $40,000 for executing a single-bug attack against the Xiaomi 13 Pro, and NCC Group earned $20,000 by demonstrating a zero-day on the same device.
All of this happened on the first day of the Pwn2Own 2023 Toronto event. There is a high probability that even more zero-days will be demonstrated before the event ends on October 27. We'll keep you posted.