Samsung’s flagship phones are regularly at the top of the range in the smartphone market and are an almost infallible choice for most users. However, these devices are not without their flaws, as the participants in this year’s Pwn2Own hacking competition have shown.
During the four-day event in Toronto, Samsung’s hardware was hacked by several competitors, and two even managed to find zero-day vulnerabilities and successfully exploit them. However, on the third day of Pwn2Own 2022, security experts managed to hack the Galaxy S22 in less than 60 seconds.
Experts from Pentest Limited demonstrated the vulnerability of the Galaxy S22 phone during the day and used an Improper Input Validation attack to gain access to the device in just 55 seconds. Since the Pwn2Own competition is sponsored by Trend Micro, an IT security company, the team scored five points and took home a prize of US$25,000.
It should be noted that all hacked Galaxy S22 phones were running on Android 13, i.e. One UI 5 user interface and that all devices had the latest security patch installed – as required by the rules of the Pwn2Own competition.
Samsung Galaxy S22 phone vulnerability
Although Pwn2Own ended up hacking Samsung’s 2022 flagship phone in record time, it was actually hacked on four different occasions during the competition.
During the first day, two zero-day vulnerabilities were discovered on the device and the contestants successfully exploited them. For those who are not familiar – a zero-day is a type of vulnerability that was previously unknown to the device manufacturer and no patch is yet available for it.
The STAR labs team found and exploited the first zero-day vulnerability on the Galaxy S22 phone, earning them $50,000 and five points, while competitor Chim found the second vulnerability and successfully demonstrated it, earning $25,000 and five points in the process.
Should you be worried?
If you own a Samsung Galaxy S22, the news that your phone was hacked in less than 60 seconds is certainly worrying and the fear for the privacy of your device and the data on it is understandable. However, this is good news.
Hacking competitions like Pwn2Own are designed to give cybersecurity researchers and ethical hackers an opportunity to showcase their skills, but also provide valuable information to manufacturers whose devices have been hacked. If a cybercriminal discovers zero-day vulnerabilities, that would be a cause for concern, as they can use them in attacks before Samsung has a chance to “patch” them. However, in this case, Samsung and other manufacturers are fully aware of the developments in the Pwn2Own competition, so their engineers are probably currently working on solving these problems.
Samsung wasn’t the only manufacturer whose devices were hacked by Pwn2Own’s competitors – the same happened to devices from Cisco, Netgear, Canon, Ubiquiti, Sonos, Lexmark, Synology and Western Digital.