Galaxy S23 got hacked three more times at Pwn2Own

On the first day of the event, the Galaxy S23 was successfully attacked through zero-day vulnerabilities two times. Over the course of the next two days, the Galaxy S23 series experienced a few other live hacks.

Story continues after the video

Zero-days are security vulnerabilities of which the OEM, in this case, Samsung, is unaware. Through its Pwn2Own event, ZDI encourages security researchers who demonstrate zero-day exploits to pass the information onto OEMs without publicizing their findings. For their efforts, white hats can win cash prizes.

Galaxy S23 hacked live three more times in two days

On the 2nd day of the Pwn2Own event, Interrupt Labs successfully executed an improper input validation attack against the Galaxy S23. In addition, ToChim exploited a permissive list of allowed inputs on the same Samsung flagship.

For demonstrating these two zero-days on the Galaxy S23, each security researcher earned $25,000 and 5 Master of Pwn points.

Moving on to Day 3, Team Orca of Sea Security was able to execute an attack on the Galaxy S23. However, ZDI confirms this bug was previously known. Team Orca won $6,250 and 1.25 Master of Pwn points.

The valuable information gathered by these researchers will likely be used by Samsung (and possibly Google) to develop new security patches. The methods behind the exploits have not been made public, so it's unclear how exactly they work and if there are other Galaxy devices affected by these issues. Usually, new exploits are detailed in official security changelogs once they get patched. We might hear more about these vulnerabilities in the coming months.