CONFERENCE On Demand: Cyber AI & Automation Summit - Watch Now
Connect with us

Hi, what are you looking for?


IoT Security

Hackers Earn $400k on First Day at Pwn2Own Toronto 2023

NAS devices, printers, IP cameras, speakers, and mobile phones were hacked on the first day at Pwn2Own Toronto 2023.

The Pwn2Own Toronto 2023 hacking contest kicked off yesterday and participants successfully hacked NAS, printers, mobile phones, and other types of devices, earning a total of more than $400,000 on the first day.

The highest reward of the day went to team Orca of Sea Security, which executed a two-vulnerability exploit chain (out-of-bounds read and use-after-free) against the Sonos Era 100 speaker, earning $60,000.

The Pentest Limited team earned the second highest reward of the day, at $50,000, for an improper input validation exploit targeting the Samsung Galaxy S23 mobile phone.

The team also earned a $40,000 reward for a two-bug exploit chain (denial-of-service and server-side request forgery) leading to the compromise of Western Digital’s My Cloud Pro Series PR4100 network-attached storage (NAS) product.

Two other $40,000 rewards were earned for exploits targeting the Xiaomi 13 Pro mobile phone (team Viettel – single-bug exploit) and the QNAP TS-464 NAS device (team ECQ – a three-bug exploit chain involving a server-side request forgery and two injection flaws).

Vulnerabilities in the Synology BC500 IP camera were also exploited on the first day of the contest, with hackers earning roughly $50,000 for the exploits.

Additional exploits targeting the Xiaomi 13 Pro and the Samsung Galaxy S23 were demonstrated as well and earned the hacking teams more than $40,000 in rewards.

The participating teams and individual hackers also pwned the Canon imageCLASS MF753Cdw and the Lexmark CX331adwe printers, earning more than $60,000 for their exploits.

Advertisement. Scroll to continue reading.

According to ZDI, not all the exploits demonstrated on the first day of Pwn2Own Toronto 2023 were new, but participants still earned lower-tier rewards for their efforts.

The hacking competition will continue until Friday, with exploits to be demonstrated in the NAS devices, smart speakers, printers, mobile phones, and surveillance systems categories.

Missing from the contest are smart vehicles, which will be present at Pwn2Own Automotive, set to be hosted at the Automotive World conference, in January 2024, in Tokyo, Japan. It will be the first Pwn2Own competition dedicated to automotive.

Related: Mikrotik Belatedly Patches RouterOS Flaw Exploited at Pwn2Own

Related: VMware Patches Critical Vulnerability Disclosed at Pwn2Own Hacking Contest

Related: ZDI Discusses First Automotive Pwn2Own

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.