Samsung Galaxy S22 was compromised in four different ways at Pwn2Own Toronto, including analyzing printers and network devices
No fewer than 63 critical security flaws were discovered in just three days of Pwn2Own Toronto, resulting in $989,700 (approx. 5.1 million) in prizes. Last week, between December 6-9, the Canadian version of one of the world’s major bug bounty events took place, with the discovery of four serious exploits on the smartphone Samsung Galaxy S22 being one of the main highlights.
- Bug Bounty participants can earn up to BRL 120,000 in less than a year🇧🇷
- 5 flaws open loopholes for cyberattacks on companies
In one of the openings located on the device, for example, a failure to validate the data entry could lead to malicious exploits; The breach paid one of the biggest prizes of the event, amounting to US$50,000, approximately R$262,000. Another similar vulnerability was found in the Galaxy S22’s computer software, which netted the experts responsible $25,000, while a third breach took just 55 seconds to execute by the researchers.
Among the more than 60 failures found, there are also several Internet of Things devices, printers, routers, modems and storage systems from brands such as cv🇧🇷 Canonnetgear, TP linksLexmark, western digital and other. However, contrary to the organization’s expectations, Pwn2Own Toronto has had no attempts to compromise devices such as the iPhone 13 and the Google Pixel 6🇧🇷
In the case that illustrates this article, for example, the specialists were able to claim the figure of the “shocked Pikachu” on the screen of a Canon printer, in a loophole that would allow the modification of internal elements of the system to steal data or facilitate intrusions. In another example with a branded device, remote code execution was possible, which would have allowed for malware to be installed or lateral movement across the network.
After a pre-registration phase, where teams indicate what they want to run on each device, the exploits are demonstrated live in front of a panel of experts. The loopholes are validated by devices running the latest updates, in their default settings, but are not disclosed publicly, but with few details, so that cybercriminals won’t exploit them.
In addition to the cash values, which the higher the more critical the zero-day failures encountered, the teams also earn points that contribute to an overall ranking. In this edition of Pwn2Own, the winning team was DEVCORE, from Taiwan, which offers professional penetration testing services and subjects corporate networks to legitimate intrusion attempts, in order to find openings before real danger arises. The team researchers received, in total, US$142,500, or approximately R$744,000 in direct conversion.
Now, all manufacturers of devices and products compromised during the three-day event will be notified, with technical details of all breaches revealed to them. Everyone has 120 days, the so-called responsible disclosure period, to release updates or corrections before the information is made public.
Source: Pwn2Own Toronto
Trending on Canaltech:
- What if a person only eats meat?
- The 10 most viewed films of November 2022
- Top 10 best-selling cars in Brazil in November 2022
- Top 10 strategy games for Android
- It appears that the Earth will run out of oxygen faster than we thought
🇧🇷The best content in your email for free. Choose your favorite Terra newsletter. Click here!
Source: Terra
Camila Luna is a writer at Gossipify, where she covers the latest movies and television series. With a passion for all things entertainment, Camila brings her unique perspective to her writing and offers readers an inside look at the industry. Camila is a graduate from the University of California, Los Angeles (UCLA) with a degree in English and is also a avid movie watcher.
